Cyber Posture

CVE-2026-35177

Medium

Published: 06 April 2026

Published
06 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score 4.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L
EPSS Score 0.0002 3.9th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35177 is a medium-severity Path Traversal (CWE-22) vulnerability in Vim Vim. Its CVSS base score is 4.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates CVE-2026-35177 by requiring timely flaw remediation through patching Vim to version 9.2.0280 or later.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Identifies vulnerable Vim installations affected by CVE-2026-35177 through regular vulnerability scanning of system software.

CM-7 Least Functionality partial match
prevent

Reduces exploitation risk of the zip.vim path traversal by prohibiting or restricting non-essential functionality like ZIP archive processing.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
Why these techniques?

Vulnerability enables arbitrary file overwrite via user opening crafted ZIP in Vim (T1204.002 Malicious File); directly facilitates stored data manipulation through file overwrites (T1565.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is…

more

fixed in 9.2.0280.

Deeper analysisAI

CVE-2026-35177 is a path traversal vulnerability in the zip.vim plugin of Vim, an open source command-line text editor. Versions of Vim prior to 9.2.0280 are affected, where the flaw allows attackers to bypass a previous mitigation for CVE-2025-53906. By opening specially crafted ZIP archives in Vim, arbitrary files on the system can be overwritten. The vulnerability is rated with a CVSS v3.1 base score of 4.1 (AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L) and is associated with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

A local attacker with no privileges can exploit this vulnerability by tricking a user into opening a malicious ZIP archive using Vim. The attack requires high complexity and user interaction, but successful exploitation enables overwriting of arbitrary files, potentially leading to low-impact integrity and availability disruptions with changed scope.

The Vim project has addressed this issue in version 9.2.0280. Additional details are available in the GitHub security advisory at https://github.com/vim/vim/security/advisories/GHSA-jc86-w7vm-8p24.

Details

CWE(s)
CWE-22

Affected Products

vim
vim
≤ 9.2.0280

CVEs Like This One

CVE-2026-34982Same product: Vim Vim
CVE-2026-28421Same product: Vim Vim
CVE-2026-34714Same product: Vim Vim
CVE-2026-26269Same product: Vim Vim
CVE-2026-28417Same product: Vim Vim
CVE-2026-39881Same product: Vim Vim
CVE-2026-33412Same product: Vim Vim
CVE-2025-27423Same product: Vim Vim
CVE-2025-1215Same product: Vim Vim
CVE-2026-29064Shared CWE-22

References