PatchSiren cyber security CVE debrief
CVE-2026-52858 vim CVE debrief
CVE-2026-52858 is a high-severity vulnerability in Vim's Python omni-completion script. The vulnerability exists in python3complete.vim for Vim with the +python3 interpreter enabled and in pythoncomplete.vim for builds with the +python interpreter. When a user opens a hostile .py file with a sibling Python package and invokes omni-completion, it runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.
- Vendor
- vim
- Product
- Unknown
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of Vim with the +python3 or +python interpreter enabled should be aware of this vulnerability. Specifically, developers and users who work with Python files in Vim and use the omni-completion feature are at risk.
Technical summary
The Python omni-completion script in python3complete.vim and pythoncomplete.vim executes import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user.
Defensive priority
High
Recommended defensive actions
- Update Vim to version 9.2.0561 or later.
- Avoid opening untrusted .py files in Vim with the +python3 or +python interpreter enabled.
- Use caution when invoking omni-completion on Python files from untrusted sources.
Evidence notes
CVE-2026-52858 has a CVSS score of 7.3 and is classified as HIGH severity. The vulnerability is related to CWE-94, CWE-95, and CWE-829.
Official resources
CVE-2026-52858 was published on 2026-06-11T19:16:47.487Z and modified on 2026-06-11T20:56:29.653Z.