CVE-2026-52860

HIGH EPSS 13.0%
Published Jun 11, 20262w ago · Modified Jun 17, 20261w ago
7.5 CVSS 4.0
High
Find Similar
Published Jun 11, 2026 2w ago
Last Modified Jun 17, 2026 1w ago

Description

Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.

CVSS Details

Base Score
7.5
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
13.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-94 Improper Control of Generation of Code (Code Injection) Injection

Affected Products 1

VendorProductVersionRange
vimvim* <9.2.0597

References 4

  • github.com https://github.com/vim/vim/commit/c8c63673bc4253212820626aeeb75999d9a539d2
    Patch
  • github.com https://github.com/vim/vim/releases/tag/v9.2.0597
    Product
  • github.com https://github.com/vim/vim/security/advisories/GHSA-52mc-rq6p-rc7c
    MitigationVendor Advisory
  • github.com https://github.com/vim/vim/security/advisories/GHSA-65p9-mwwx-7468
    Vendor Advisory

Remediation

  • github.com https://github.com/vim/vim/commit/c8c63673bc4253212820626aeeb75999d9a539d2
    Patch