HIGHVulnerability
Verified
Global

NVD HIGH: CVE-2026-55895 — Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript ...

·Source: NIST NVD

Updated:

Executive Summary

Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash characte

Analysis

Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663. CVSS Score: 7.8. Published: 2026-06-25T16:16:41.077.

Indicators of Compromise (1)

CVE (1)
CVE-2026-55895
Source Attribution

Originally published by NIST NVD on Jun 25, 2026. Verified by: NIST.

Related Threats