PatchSiren cyber security CVE debrief
CVE-2026-59856 vim CVE debrief
CVE-2026-59856 is a high-severity vulnerability in Vim's PHP omni-completion script. This issue allows for arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. The vulnerability is fixed in Vim version 9.2.0736. The vulnerability affects users of Vim, especially those working with PHP files. The vulnerability has a CVSS score of 8.4 and a CVSS severity of HIGH.
- Vendor
- vim
- Product
- Unknown
- CVSS
- HIGH 8.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-09
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-09
- Advisory updated
- 2026-07-10
Who should care
Users of Vim, especially those working with PHP files, should be aware of this vulnerability and update to Vim version 9.2.0736 or later to mitigate the risk. This vulnerability may affect developers, system administrators, and security teams who use Vim for editing PHP files.
Technical summary
The PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution.
Defensive priority
High
Recommended defensive actions
- Update to Vim version 9.2.0736 or later
- Use caution when opening PHP files from untrusted sources
- Consider disabling omni-completion for PHP files until a fix is applied
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-09T23:17:06.420Z and last modified on 2026-07-10T16:16:38.283Z. The NVD entry is currently Undergoing Analysis. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. This allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T23:17:06.420Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.