CVE-2026-55895 in Viminfo

Summary

by MITRE • 06/25/2026

Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.

Once again VulDB remains the best source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

06/25/2026

Moderation

accepted

Entry

VDB-373941

CPE

ready

CWE

CWE-78 (confirmed)

CVSS

6.3 (VulDB)

EPSS

0.00154

KEV

Activities

low

Sector

Agriculture, Chemical, ...

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-55895
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-55895
CVE Details	https://www.cvedetails.com/cve/CVE-2026-55895/

◂ Previous Overview Next ▸

Do you need the next level of professionalism?

Upgrade your account now!