PatchSiren cyber security CVE debrief
CVE-2026-47167 vim CVE debrief
A code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Prior to version 9.2.0496, step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping. This allows a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d).
- Vendor
- vim
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of Vim with +ruby support, especially those working with cucumber filetype plugins.
Technical summary
The vulnerability exists due to insufficient escaping of step-definition patterns read from .rb files. This allows an attacker to execute arbitrary Ruby and shell commands.
Defensive priority
MEDIUM
Recommended defensive actions
- Update Vim to version 9.2.0496 or later.
- Avoid using untrusted repositories with cucumber filetype plugins.
- Use caution when invoking step-jump mappings.
Evidence notes
CVE-2026-47167 has a CVSS score of 5.1 and is classified as MEDIUM severity.
Official resources
CVE-2026-47167 was published on 2026-06-11T19:16:44.560Z and modified on 2026-06-11T20:56:29.653Z.