Home / Vulnerability Intelligence / CVE-2026-44656

CVE-2026-44656 - Vulnerability Analysis

N/a

Last Updated: May 8, 2026

Vim - Command Injection

Published: May 8, 2026Updated: May 8, 2026PoC Available

Overview

Vim < 9.2.0435 contains a command injection caused by lack of P_SECURE flag on the path option in :find command-line completion, letting attackers execute arbitrary shell commands via crafted files, exploit requires attacker to control file contents.

Severity & Score

Severity: N/a

Impact

Attackers controlling file contents can execute arbitrary shell commands when the user triggers :find completion, potentially leading to full system compromise.

Mitigation

Update to version 9.2.0435 or later.

References

https://github.com/vim/vim/commit/190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0
https://github.com/vim/vim/releases/tag/v9.2.0435
https://github.com/vim/vim/security/advisories/GHSA-hwg5-3cxw-wvvg

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-44656
Severity: N/a
Type: command_injection
Status: new

CWE

CWE-78

CVSS Metrics

N/A