Cyber Resilience

CVE-2026-39881

Medium

Published: 08 April 2026

Published
08 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 5.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N
EPSS Score 0.0001 0.9th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39881 is a medium-severity Code Injection (CWE-94) vulnerability in Vim Vim. Its CVSS base score is 5.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-11 (User-installed Software).

Deeper analysis

CVE-2026-39881 is a command injection vulnerability (CWE-94) in the netbeans interface of Vim, an open source command-line text editor. Versions of Vim prior to 9.2.0316 are affected, where unsanitized strings in the defineAnnoType and specialKeys protocol messages allow a malicious netbeans server to execute arbitrary Ex commands when a vulnerable Vim instance connects to it. The vulnerability carries a CVSS v3.1 base score of 5.0 (AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N), indicating medium severity with high integrity impact potential.

Exploitation requires a local attacker with low privileges to control a malicious netbeans server and trick a user into connecting Vim to it, involving user interaction and high attack complexity. Upon successful connection, the attacker can execute arbitrary Ex commands within the victim's Vim session, potentially leading to low confidentiality impact and high integrity impact, such as modifying files or executing further commands depending on the Ex commands injected.

The vulnerability is fixed in Vim version 9.2.0316, as detailed in the project's GitHub security advisory (GHSA-mr87-rhgv-7pw6), release notes, and the patching commit. Security practitioners should advise users to update to 9.2.0316 or later and avoid connecting to untrusted netbeans servers.

EU & UK References

Vulnerability details

Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the…

more

defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in Vim's netbeans protocol allows malicious server to execute arbitrary Ex commands (including shell invocation) upon client connection, directly enabling client-side exploitation and Unix shell command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33412Same product: Vim Vim
CVE-2026-34714Same product: Vim Vim
CVE-2026-26269Same product: Vim Vim
CVE-2026-28417Same product: Vim Vim
CVE-2026-28421Same product: Vim Vim
CVE-2026-35177Same product: Vim Vim
CVE-2026-34982Same product: Vim Vim
CVE-2025-27423Same product: Vim Vim
CVE-2025-59041Shared CWE-94
CVE-2026-35197Shared CWE-94

Affected Assets

vim
vim
≤ 9.2.0316

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and patching of the command injection flaw in Vim's netbeans interface to version 9.2.0316 or later, directly eliminating the vulnerability.

prevent

Enforces least functionality by disabling or restricting the netbeans interface in Vim when not required, reducing the attack surface for malicious server connections.

prevent

Controls and approves user-installed software like vulnerable Vim versions, ensuring only patched instances are deployed to prevent exploitation.

References