MEDIUMCVE-2026-39881CVSS 5

CVE-2026-39881: Command Injection in Vim 9.2.0000

Q: What is CVE-2026-39881 — Command Injection in Vim?

CVE-2026-39881 is a command injection vulnerability in Vim's netbeans interface, allowing malicious servers to execute commands.

Q: Am I affected by CVE-2026-39881 in Vim?

You are affected if you are using Vim versions 9.2.0000 through 9.2.0316 and connect to netbeans servers.

Q: How do I fix CVE-2026-39881 in Vim?

Upgrade Vim to version 9.2.0316 or later. Consider disabling the netbeans interface if upgrading is not possible.

Q: Is CVE-2026-39881 being actively exploited?

No active exploitation campaigns have been reported, but the vulnerability is considered a potential target.

Q: Where can I find the official Vim advisory for CVE-2026-39881?

Refer to the Vim project's security advisories on their official website for the latest information.

Platform

linux

Component

vim

Fixed in

9.2.0316

AI Confidence: highNVDEPSS 0.2%Reviewed: May 2026

View on NVD

Save

This vulnerability affects Vim, a popular open-source command-line text editor. A command injection flaw exists in the netbeans interface, allowing a malicious netbeans server to execute arbitrary Ex commands. This impacts versions 9.2.0000 through 9.2.0316. The vulnerability is resolved in version 9.2.0316.

Impact and Attack Scenarios

An attacker controlling a malicious netbeans server can exploit this vulnerability to gain arbitrary command execution within the Vim process. This could lead to data theft, system compromise, or further malicious activity. The attacker could potentially read sensitive files, install malware, or even gain persistent access to the system. The blast radius is limited to the system running Vim and connected to the malicious netbeans server, but the consequences can be severe.

Exploitation Context

This vulnerability was publicly disclosed on 2026-04-08. No public proof-of-concept exploits are currently known. The EPSS score is pending evaluation. While no active exploitation campaigns have been reported, the ease of exploitation makes it a potential target for opportunistic attackers.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureLow

EPSS

0.16% (37% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentvim

Vendorvim

Affected rangeFixed in

< 9.2.0316 – < 9.2.0316—

Weakness Classification (CWE)

CWE-94

Timeline

Reserved2026-04-07
Published2026-04-08
Modified2026-04-09
EPSS updated2026-04-16

Mitigation and Workarounds

The primary mitigation is to upgrade Vim to version 9.2.0316 or later. If upgrading is not immediately feasible, consider isolating Vim instances from untrusted netbeans servers. Disabling the netbeans interface entirely is another option, though it will impact functionality. Monitor network traffic for suspicious connections to netbeans servers. After upgrading, confirm the fix by attempting to connect to a known malicious netbeans server and verifying that no arbitrary commands are executed.

How to fix

Update to version 9.2.0316 or later to mitigate the Ex command injection vulnerability. This update corrects the issue by properly sanitizing strings in the NetBeans interface protocol messages, preventing the execution of arbitrary commands.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-39881 — Command Injection in Vim?