CVE-2026-33412
Published: 24 March 2026
Summary
CVE-2026-33412 is a medium-severity OS Command Injection (CWE-78) vulnerability in Vim Vim. Its CVSS base score is 5.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the command injection vulnerability in Vim's glob() function by requiring timely patching to version 9.2.0202 or later.
Addresses the improper neutralization of special elements like newlines in inputs to glob() by enforcing validation and filtering prior to processing.
Mitigates exploitation dependent on Vim's 'shell' setting by establishing and enforcing secure configuration settings for the editor.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables local command injection in Vim (Unix) via malicious glob() patterns/files, directly mapping to client-side exploitation (T1203) and arbitrary Unix shell command execution (T1059.004).
NVD Description
Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may…
more
be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.
Deeper analysisAI
CVE-2026-33412 is a command injection vulnerability in the glob() function of Vim, an open source command line text editor, affecting versions prior to 9.2.0202 on Unix-like systems. The flaw arises when a pattern passed to glob() includes a newline character (\n), enabling arbitrary shell command execution. This issue is tied to the user's 'shell' setting and is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command).
Exploitation requires local access (AV:L), low attack complexity (AC:L), low privileges (PR:L), and user interaction (UI:R), with a CVSS v3.1 base score of 5.6 (C:L/I:H/A:N). A low-privileged local attacker could trick a user into processing a malicious pattern via glob(), such as in a file or script opened in Vim, leading to command injection and potential integrity compromise through arbitrary shell command execution.
The vulnerability has been patched in Vim version 9.2.0202, as detailed in the GitHub commit (645ed6597d1ea896c712cd7ddbb6edee79577e9a), release notes, and security advisory (GHSA-w5jw-f54h-x46c). Security practitioners should update to the fixed version and review configurations involving the 'shell' setting, with further discussion available on the oss-security mailing list.
Details
- CWE(s)