PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47162 vim CVE debrief

A code injection vulnerability exists in Vim's Netrw plugin, specifically in the `s:NetrwBookHistSave()` function. This function is used to save the history of browsed directories to the `~/.vim/.netrwhist` file. The vulnerability occurs when directory names are not properly escaped, allowing an attacker to inject arbitrary Vimscript code, including shell commands, by manipulating the directory name.

Vendor
vim
Product
Unknown
CVSS
HIGH 7.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-11
Original CVE updated
2026-06-13
Advisory published
2026-06-11
Advisory updated
2026-06-13

Who should care

Users of Vim, particularly those who use the Netrw plugin, should be aware of this vulnerability. This vulnerability has a high CVSS score of 7.3, indicating a significant risk.

Technical summary

The vulnerability arises from the way directory names are serialized into the history file. Specifically, directory names are interpolated into a single-quoted Vimscript string literal without proper escaping of embedded single quotes. This allows a crafted directory name to break out of the string context and execute arbitrary Vimscript code.

Defensive priority

High

Recommended defensive actions

  • Update Vim to version 9.2.0495 or later to patch the vulnerability.
  • Use the official CVE record at [cve-org] for more information.
  • Refer to the NVD detail page at [nvd] for additional information.
  • See the vendor advisory at [ref-6] for more details.

Evidence notes

The CVE record and NVD detail page provide official information about the vulnerability. The vendor advisory and patch information are available on GitHub.

Official resources

CVE-2026-47162 was published on 2026-06-11T19:16:44.160Z and modified on 2026-06-13T01:04:09.357Z.