{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33412", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T17:02:34.171Z", "datePublished": "2026-03-24T19:43:07.219Z", "dateUpdated": "2026-03-25T19:28:18.219Z"}, "containers": {"cna": {"title": "Vim affected by Command injection via newline in glob()", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c"}, {"name": "https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a"}, {"name": "https://github.com/vim/vim/releases/tag/v9.2.0202", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/releases/tag/v9.2.0202"}], "affected": [{"vendor": "vim", "product": "vim", "versions": [{"version": "< 9.2.0202", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:43:07.219Z"}, "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202."}], "source": {"advisory": "GHSA-w5jw-f54h-x46c", "discovery": "UNKNOWN"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/19/10"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-24T20:16:21.339Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T19:28:11.644101Z", "id": "CVE-2026-33412", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:28:18.219Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/19/10"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-24T20:16:21.339Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33412", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T19:28:11.644101Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:28:15.587Z"}}], "cna": {"title": "Vim affected by Command injection via newline in glob()", "source": {"advisory": "GHSA-w5jw-f54h-x46c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.6, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "vim", "product": "vim", "versions": [{"status": "affected", "version": "< 9.2.0202"}]}], "references": [{"url": "https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c", "name": "https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a", "name": "https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vim/vim/releases/tag/v9.2.0202", "name": "https://github.com/vim/vim/releases/tag/v9.2.0202", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:43:07.219Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33412", "state": "PUBLISHED", "dateUpdated": "2026-03-25T19:28:18.219Z", "dateReserved": "2026-03-19T17:02:34.171Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T19:43:07.219Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*", "matchCriteriaId": "E79E22DB-B3DB-45AC-9D86-F917E6A7EC6C", "versionEndExcluding": "9.2.0202", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202."}], "id": "CVE-2026-33412", "lastModified": "2026-03-25T21:59:14.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-24T20:16:29.740", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/vim/vim/releases/tag/v9.2.0202"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/03/19/10"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "vim: Vim: Arbitrary code execution via command injection in glob() function", "id": "2450907", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450907"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-78", "details": ["A flaw was found in Vim. By including a newline character in a pattern passed to Vim's glob() function, an attacker may be able to execute arbitrary shell commands. This command injection vulnerability allows for arbitrary code execution, depending on the user's shell settings."], "name": "CVE-2026-33412", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-24T19:43:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33412\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33412\nhttps://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a\nhttps://github.com/vim/vim/releases/tag/v9.2.0202\nhttps://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.2.0202)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vim", "source": "cna", "vendor": "vim"}, "product": "vim", "vendor": "vim"}], "analysis": {"en": {"generated_at": "2026-03-24T21:36:30.680211+00:00", "value": {"mitigation_remediation": ["Upgrade Vim to version 9.2.0202 or newer", "Verify that the 'shell' option is set to a trusted executable", "Review and monitor Vim usage for unexpected command execution"], "summary": {"action": "Patch", "impact": "Command injection"}, "threat_synthesis": {"affected_systems": "Vim versions up to but not including 9.2.0202 are vulnerable; all releases containing the buggy glob() implementation on Unix\u2011like platforms are affected. The issue is fixed in Vim 9.2.0202 and later.", "description_and_impact": "Vim, the open\u2011source command\u2011line editor, has a flaw in its glob() function on Unix\u2011like systems that allows an attacker to inject shell commands via a pattern containing a newline character; the injected command executes with the privileges of the user running Vim, facilitating arbitrary command execution and matching CWE\u201178.", "risk_and_exploitability": "The CVSS score of 5.6 indicates moderate severity, but no EPSS score is available, leaving exploitation likelihood uncertain; the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers need local access to a Vim session and control over the pattern passed to glob(); the flaw does not require privilege escalation but can execute arbitrary shell commands, potentially compromising system integrity."}}}}, "created": "2026-03-25T11:46:11.620392+00:00", "updated": "2026-03-25T20:57:36.849051+00:00", "vendors": ["vim", "vim$PRODUCT$vim"]}