CVE-2026-59858 in Viminfo

Summary

by MITRE • 07/10/2026

Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability described represents a critical command injection flaw in Vim's omni-completion functionality that has significant security implications for developers who rely on this text editor for code navigation and completion. This issue affects versions prior to 9.2.0735 and specifically targets the ccomplete.vim script located in the runtime/autoload directory, which handles C language-specific completion features. The vulnerability arises from improper input validation and sanitization within the tag processing mechanism that Vim uses to provide intelligent code completion based on project tags files.

The technical flaw occurs when Vim processes tags entries containing specially crafted typeref: or typename: extension fields that are not properly escaped before being interpolated into vimgrep search patterns. The ccomplete.vim script constructs a pattern using these fields and executes it through the :execute command, which allows arbitrary command execution within Vim's context. Since :vimgrep treats the bar character as a command separator, an attacker can craft malicious tag entries that terminate the search pattern and inject additional Ex commands. This creates a path for remote code execution or privilege escalation when users open hostile source files and trigger omni-completion features.

This vulnerability aligns with CWE-74 and CWE-94 categories from the Common Weakness Enumeration, specifically representing a code injection flaw where user-controllable data is improperly integrated into command execution contexts. The attack vector requires an attacker to compromise a project's tags file, which could occur through various means including supply chain attacks or access to shared development environments. From an MITRE ATT&CK framework perspective, this maps to technique T1059.006 for command and scripting interpreter with the specific sub-technique involving shell commands in the context of application-specific interpreters.

The operational impact extends beyond simple code execution as it can potentially allow attackers to read arbitrary files, execute system commands, or even escalate privileges if the editing user has elevated permissions. This threat is particularly concerning because it leverages legitimate Vim features and requires minimal user interaction beyond opening a malicious file and triggering completion. The vulnerability affects developers working in C/C++ environments who rely on tags-based navigation, making it relevant to numerous development teams that use Vim as their primary editor. The fixed version 9.2.0735 implements proper input sanitization by escaping special characters in tag fields before interpolation into vimgrep patterns.

Organizations should immediately update to Vim version 9.2.0735 or later to mitigate this risk, while also implementing security practices such as validating tags file sources and monitoring for suspicious tag entries in shared development repositories. Network-level protections may include restricting access to project tags files from untrusted sources, though the vulnerability's nature makes it particularly dangerous in environments where developers have write access to shared projects or where tags are generated automatically from source code analysis tools. System administrators should also consider implementing monitoring for unusual Vim command patterns that might indicate exploitation attempts.

Responsible

GitHub M

Reservation

07/07/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!