CVE-2026-33412

NameCVE-2026-33412
DescriptionVim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1131450

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
vim (PTS)bullseye2:8.2.2434-3+deb11u1vulnerable
bullseye (security)2:8.2.2434-3+deb11u3vulnerable
bookworm2:9.0.1378-2+deb12u2vulnerable
trixie2:9.1.1230-2vulnerable
forky2:9.2.0218-1fixed
sid2:9.2.0315-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
vimsource(unstable)2:9.2.0218-11131450

Notes

https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c
https://github.com/vim/vim/pull/19746
Fixed by: https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a (v9.2.0202)
Search for package or bug name: Reporting problems