PatchSiren cyber security CVE debrief
CVE-2026-59858 vim CVE debrief
CVE-2026-59858 is a high-severity vulnerability in Vim's C omni-completion script. This issue allows arbitrary Ex command execution when a hostile .c file with a crafted tag field is opened and C omni-completion is invoked. The vulnerability exists because the C omni-completion script interpolates the typeref: or typename: extension field of a tags entry without escaping, into a :vimgrep pattern that is run through :execute. A crafted tag field can close the search pattern and append an arbitrary Ex command. Users of Vim version prior to 9.2.0735 who open .c files from untrusted sources should be aware of this vulnerability and take necessary precautions.
- Vendor
- vim
- Product
- Unknown
- CVSS
- HIGH 8.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-09
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-09
- Advisory updated
- 2026-07-10
Who should care
Users of Vim version prior to 9.2.0735 who open .c files from untrusted sources should be aware of this vulnerability and take necessary precautions. This includes developers, system administrators, and users who work with .c files. The vulnerability can be exploited by opening a hostile .c file with a crafted tag field and invoking C omni-completion, which can lead to arbitrary Ex command execution.
Technical summary
The C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry without escaping, into a :vimgrep pattern that is run through :execute. A crafted tag field can close the search pattern and append an arbitrary Ex command, allowing for arbitrary Ex command execution. This vulnerability can be exploited by opening a hostile .c file with a crafted tag field and invoking C omni-completion. The vulnerability is fixed in version 9.2.0735.
Defensive priority
High
Recommended defensive actions
- Update Vim to version 9.2.0735 or later
- Avoid opening .c files from untrusted sources
- Use caution when invoking C omni-completion on untrusted files
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-09T23:17:06.740Z and was last modified on 2026-07-10T15:52:29.883Z. The evidence for this vulnerability comes from the official CVE record and NVD detail page. The affected product is Vim, a command line text editor. The vulnerability exists in the C omni-completion script in runtime/autoload/ccomplete.vim. The CVE record and NVD detail page provide additional information on the vulnerability, including its severity and potential impact. However, the record does not provide information on known affected scope or verified exploit attempts.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T23:17:06.740Z and has not been modified since then.