Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-39881

Опубликовано: 08 апр. 2026
Источник: redhat
CVSS3: 5
EPSS Низкий

Описание

A flaw was found in Vim. A command injection vulnerability in Vim's NetBeans interface allows a malicious NetBeans server to execute arbitrary Ex commands when Vim connects to it. This occurs due to unsanitized strings in the defineAnnoType and specialKeys protocol messages, leading to arbitrary code execution.

Отчет

A command injection flaw in Vim's NetBeans interface allows a malicious NetBeans server to execute arbitrary commands when Vim connects to it. This happens because of Vim lacking the sanitization of strings in the protocol command messages, an attacker may leverage that to send maliciously crafted messages to the client that send a | character in certain command fields making Vim further interpret as an Ex command interpolation and executing arbitrary code in the victim's machine. Red Hat Product Security has rated this vulnerability as having the impact of Moderate, this happens because for an attack be considered successful the victim needs to deliberately connect to an untrusted malicious Netbeans server or the attacker needs to intercept the control messages and properly change it (MiTM) with the malicious payload. Additionally the code executed will be executed with the same privileges as the user running the Vim process, meaning the impact will be restricted by the same privilege level as the edit process has.

Меры по смягчению последствий

Users should refrain to connect to untrusted netbeans server.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 10vimFix deferred
Red Hat Enterprise Linux 6vimFix deferred
Red Hat Enterprise Linux 7vimFix deferred
Red Hat Enterprise Linux 8vimFix deferred
Red Hat Enterprise Linux 9vimFix deferred
Red Hat OpenShift Container Platform 4rhcosFix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-78
https://bugzilla.redhat.com/show_bug.cgi?id=2456722vim: Vim: Arbitrary code execution via command injection in NetBeans interface

EPSS

Процентиль: 37%
0.00159
Низкий

5 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2026-39881

CVSS3: 5
ubuntu
7 дней назад

[Ex command injection in Vims NetBeans integration]

nvd логотип

CVE-2026-39881

CVSS3: 5
nvd
7 дней назад

Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.

msrc логотип

CVE-2026-39881

CVSS3: 5
msrc
5 дней назад

Vim Ex command injection in Vims NetBeans integration

debian логотип

CVE-2026-39881

CVSS3: 5
debian
7 дней назад

Vim is an open source, command line text editor. Prior to 9.2.0316, a ...

EPSS

Процентиль: 37%
0.00159
Низкий

5 Medium

CVSS3