CVE-2026-34982

Description

Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The complete, guitabtooltip and printheader options are missing the P_MLE flag, allowing a modeline to be executed. Additionally, the mapset() function lacks a check_secure() call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.

Risk Information

Base Score

8.2

MODERATE

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS Score

Exploitation Probability

0.019

Associated Vulnerability

Vulnerability	OS Platform
Vulnerabilities CVE-2026-34982 are affected in Vim 9.2.275	Windows

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234