CVE-2026-42307
Published: 08 May 2026
Summary
CVE-2026-42307 is a medium-severity OS Command Injection (CWE-78) vulnerability in Vim Vim. Its CVSS base score is 4.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 45.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-28851
Vulnerability details
Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp://…
more
or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Crafted URL triggers OS command injection (CWE-78) for arbitrary shell execution after user interaction.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.