Descriptionvim 6.0 and 6.1, and possibly other versions, allows attackers to execute arbitrary commands using the libcall feature in modelines, which are not sandboxed but may be executed when vim is used to edit a malicious file, as demonstrated using mutt.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
vim (PTS)bullseye2:8.2.2434-3+deb11u1fixed
sid, trixie2:9.1.0496-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


woody seems to be still vulnerable
according to bug #178102 a fixed package was uploaded to the security team in January 2003
but no advisory (nor fixed package) have been published yet.
I've mailed maintainer Luca Filipozzi <> about this.
No response from maintainer, I have mailed security team.
Martin Schulze don't consider this as an issue for updating woody.

Search for package or bug name: Reporting problems