LOW
Neovim
CVE published 2026-06-08
CVE-2026-11487
A command injection vulnerability was found in Neovim up to version 0.12.2. The vulnerability affects the M.read function in the runtime/lua/vim/secure.lua file. An attacker can exploit this vulnerability by manipulating the path argument, leading to command injection on the local host. The CVSS score for this vulnerability is 1.9, indicating a low severity.