CVE-2026-42307

Name	CVE-2026-42307
Description	Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
vim (PTS)	bullseye	2:8.2.2434-3+deb11u1	vulnerable
	bullseye (security)	2:8.2.2434-3+deb11u3	vulnerable
	bookworm	2:9.0.1378-2+deb12u2	vulnerable
	trixie	2:9.1.1230-2	vulnerable
	forky	2:9.2.0355-1	vulnerable
	sid	2:9.2.0428-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
vim	source	(unstable)	2:9.2.0428-1

Notes

https://github.com/vim/vim/security/advisories/GHSA-85ch-p2qr-m5gx
Fixed by: https://github.com/vim/vim/commit/405e2fb6d54d5653523809e2853d99d1c000a5fc (v9.2.0383)