PatchSiren cyber security CVE debrief
CVE-2026-11487 Neovim CVE debrief
A command injection vulnerability was found in Neovim up to version 0.12.2. The vulnerability affects the M.read function in the runtime/lua/vim/secure.lua file. An attacker can exploit this vulnerability by manipulating the path argument, leading to command injection on the local host. The CVSS score for this vulnerability is 1.9, indicating a low severity.
- Vendor
- Neovim
- Product
- Neovim
- CVSS
- LOW 1.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-08
Who should care
Users of Neovim up to version 0.12.2
Technical summary
The vulnerability is caused by a flaw in the M.read function of the runtime/lua/vim/secure.lua file. An attacker can exploit this vulnerability by manipulating the path argument, leading to command injection on the local host.
Defensive priority
Low
Recommended defensive actions
- Apply the patch f83e0dcaf8cf18de94828341b0a1a61a86c75baf to remediate this issue.
- Update Neovim to a version greater than 0.12.2.
Evidence notes
The vulnerability has been published and may be used. The CVSS score for this vulnerability is 1.9, indicating a low severity.
Official resources
CVE-2026-11487 was published on 2026-06-08T05:16:29.847Z and modified on 2026-06-08T14:57:14.757Z.