PatchSiren cyber security CVE debrief
CVE-2026-52860 vim CVE debrief
CVE-2026-52860 is a high-severity vulnerability in Vim's Python omni-completion feature. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. This allows a hostile buffer to execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation does not cover this path, as the attacker-controlled code is not a harvested import/from statement.
- Vendor
- vim
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of Vim, especially those who work with untrusted or user-supplied content, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability exists in Vim's Python omni-completion feature, which executes reconstructed function and class definitions from the current buffer with exec(). This allows a hostile buffer to execute attacker-controlled Python expressions during omni-completion.
Defensive priority
High
Recommended defensive actions
- Update Vim to version 9.2.0597 or later.
- Avoid editing untrusted or user-supplied content in Vim.
Evidence notes
The CVE-2026-52860 vulnerability has been patched in Vim version 9.2.0597. References to additional information can be found at [ref-4](https://github.com/vim/vim/commit/c8c63673bc4253212820626aeeb75999d9a539d2), [ref-5](https://github.com/vim/vim/releases/tag/v9.2.0597), [ref-6](https://github.com/vim/vim/security/advisories/GHSA-52mc-rq6p-rc7c), and [ref-7](https://github.com/vim/vim/security/advisories/GHSA-65p9-mwwx-7468).
Official resources
CVE-2026-52860 was published on 2026-06-11T19:16:47.773Z and modified on 2026-06-11T20:56:29.653Z.