CVE-2026-11487

NameCVE-2026-11487
DescriptionA flaw has been found in Neovim up to 0.12.2. Affected by this issue is the function M.read of the file runtime/lua/vim/secure.lua of the component View Branch. Executing a manipulation of the argument path can lead to command injection. It is possible to launch the attack on the local host. The exploit has been published and may be used. This patch is called f83e0dcaf8cf18de94828341b0a1a61a86c75baf. A patch should be applied to remediate this issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1139999

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
neovim (PTS)bullseye0.4.4-1vulnerable
bookworm0.7.2-7vulnerable
trixie0.10.4-8vulnerable
forky0.11.6-1vulnerable
sid0.12.3-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
neovimsource(unstable)0.12.3-11139999

Notes

https://github.com/neovim/neovim/issues/39914
https://github.com/neovim/neovim/pull/39918
https://github.com/neovim/neovim/commit/f83e0dcaf8cf18de94828341b0a1a61a86c75baf (v0.12.3)
Search for package or bug name: Reporting problems