Cyber Resilience

CVE-2026-57453

Medium

Published: 25 June 2026

Published
25 June 2026
Modified
26 June 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
EPSS Score 0.0014 3.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-57453 is a medium-severity Command Injection (CWE-77) vulnerability in Vim Vim. Its CVSS base score is 6.5 (Medium).

Operationally, ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command…

more

by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vim
vim
9.1.1784 — 9.2.0678

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References