CVE-2026-59856 in Viminfo

Summary

by MITRE • 07/10/2026

Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability in Vim's PHP omni-completion functionality represents a critical command injection flaw that exploits improper input sanitization within the runtime autoload scripts. This issue affects versions prior to 9.2.0736 and specifically targets the phpcomplete.vim script located in the runtime/autoload directory. The vulnerability stems from the script's failure to properly escape class or trait names when interpolating them into search() function calls that are subsequently executed via win_execute().

The technical flaw manifests when Vim processes PHP code containing class or trait names that include special characters, particularly single quotes and the bar character. When a user opens a malicious PHP file and triggers omni-completion, the script reads the class or trait name from the buffer and directly incorporates it into a search() pattern without proper escaping mechanisms. The single quote character acts as an early termination for the search() string argument, allowing subsequent portions of the input to be interpreted as Ex commands rather than literal text.

This vulnerability operates through the exploitation of Vim's command execution capabilities where the bar character serves as an Ex command separator. When a malicious class name contains these special characters, the portion following the quote becomes executable code that can leverage Vim's :! command functionality for arbitrary operating system command execution. The attack requires minimal user interaction beyond opening the crafted file and invoking the omni-completion feature, making it particularly dangerous in environments where users may unknowingly open malicious files.

The operational impact of this vulnerability extends beyond simple code injection to full system compromise when attackers craft malicious PHP files containing specially formatted class or trait names. This allows for remote code execution with the privileges of the user running Vim, potentially enabling attackers to execute arbitrary commands, access sensitive data, or establish persistent access to affected systems. The vulnerability is particularly concerning in development environments where developers frequently use Vim for PHP development and may inadvertently open malicious files containing crafted class names.

Mitigation strategies should focus on updating to Vim version 9.2.0736 or later, which implements proper input escaping for the phpcomplete.vim script. Organizations should also consider implementing security measures such as restricting file access permissions, employing automated code scanning tools to identify potentially malicious PHP files, and educating developers about the risks of opening untrusted files. The vulnerability aligns with CWE-74 and CWE-94 categories related to improper neutralization of special elements and code injection respectively, while also mapping to ATT&CK techniques involving command and scripting interpreters for execution and privilege escalation through code injection methods.

Responsible

GitHub M

Reservation

07/07/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!