{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-47162", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-18T21:25:34.496Z", "datePublished": "2026-06-11T18:32:14.471Z", "dateUpdated": "2026-06-30T12:10:02.279Z"}, "containers": {"cna": {"title": "Vim: Vimscript Code Injection in netrw NetrwBookHistSave() via crafted directory name", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/vim/vim/security/advisories/GHSA-crm5-rh6j-2c7c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vim/vim/security/advisories/GHSA-crm5-rh6j-2c7c"}, {"name": "https://github.com/vim/vim/commit/f08ab2f4d7d2947c8dd6c179ae08ee6146a2694b", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/commit/f08ab2f4d7d2947c8dd6c179ae08ee6146a2694b"}, {"name": "https://github.com/vim/vim/releases/tag/v9.2.0495", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/releases/tag/v9.2.0495"}], "affected": [{"vendor": "vim", "product": "vim", "versions": [{"version": "< 9.2.0495", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-11T18:32:14.471Z"}, "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495."}], "source": {"advisory": "GHSA-crm5-rh6j-2c7c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-12T03:55:42.649076Z", "id": "CVE-2026-47162", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-12T12:47:52.867Z"}}, {"affected": [{"cpes": ["cpe:/o:redhat:enterprise_linux:10"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux 10", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:6"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux 6", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux 7", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openshift:4"], "defaultStatus": "affected", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat"}], "datePublic": "2026-06-11T18:32:14.471Z", "descriptions": [{"lang": "en", "value": "A flaw was found in Vim, an open-source text editor. This vulnerability, located in the netrw plugin, involves a code injection issue when the editor processes directory paths. A malicious directory name, if crafted by an attacker, could bypass security measures and allow for the execution of unauthorized commands. This could lead to arbitrary code execution on the affected system."}], "metrics": [{"other": {"content": {"namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-140", "description": "Improper Neutralization of Delimiters", "lang": "en", "type": "CWE"}]}], "references": [{"tags": ["vdb-entry", "x_refsource_REDHAT"], "url": "https://access.redhat.com/security/cve/CVE-2026-47162"}, {"name": "RHBZ#2487964", "tags": ["issue-tracking", "x_refsource_REDHAT"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487964"}, {"tags": ["x_sadp-csaf-vex"], "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47162.json"}], "timeline": [{"lang": "en", "time": "2026-06-11T19:00:56.050Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-11T18:32:14.471Z", "value": "Made public."}], "title": "vim: Vim: Arbitrary Code Execution via crafted directory names", "x_adpType": "supplier", "x_generator": {"engine": "sadp-cli 1.0.0"}, "providerMetadata": {"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-06-30T12:10:02.279Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "vim: Vim: Arbitrary Code Execution via crafted directory names", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/o:redhat:enterprise_linux:10"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:6"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2026-06-11T19:00:56.050Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-11T18:32:14.471Z", "value": "Made public."}], "x_adpType": "supplier", "datePublic": "2026-06-11T18:32:14.471Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-47162", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487964", "name": "RHBZ#2487964", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47162.json", "tags": ["x_sadp-csaf-vex"]}], "x_generator": {"engine": "sadp-cli 1.0.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in Vim, an open-source text editor. This vulnerability, located in the netrw plugin, involves a code injection issue when the editor processes directory paths. A malicious directory name, if crafted by an attacker, could bypass security measures and allow for the execution of unauthorized commands. This could lead to arbitrary code execution on the affected system."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-140", "description": "Improper Neutralization of Delimiters"}]}], "providerMetadata": {"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-06-30T03:16:10.529Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-47162", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-12T03:55:42.649076Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-12T12:47:50.083Z"}}], "cna": {"title": "Vim: Vimscript Code Injection in netrw NetrwBookHistSave() via crafted directory name", "source": {"advisory": "GHSA-crm5-rh6j-2c7c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "vim", "product": "vim", "versions": [{"status": "affected", "version": "< 9.2.0495"}]}], "references": [{"url": "https://github.com/vim/vim/security/advisories/GHSA-crm5-rh6j-2c7c", "name": "https://github.com/vim/vim/security/advisories/GHSA-crm5-rh6j-2c7c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vim/vim/commit/f08ab2f4d7d2947c8dd6c179ae08ee6146a2694b", "name": "https://github.com/vim/vim/commit/f08ab2f4d7d2947c8dd6c179ae08ee6146a2694b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vim/vim/releases/tag/v9.2.0495", "name": "https://github.com/vim/vim/releases/tag/v9.2.0495", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-11T18:32:14.471Z"}}}, "cveMetadata": {"cveId": "CVE-2026-47162", "state": "PUBLISHED", "dateUpdated": "2026-06-30T03:16:10.529Z", "dateReserved": "2026-05-18T21:25:34.496Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-11T18:32:14.471Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*", "matchCriteriaId": "F06ADF1A-D6E5-4530-AFFA-83D781D33D74", "versionEndExcluding": "9.2.0495", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495."}], "id": "CVE-2026-47162", "lastModified": "2026-06-13T01:04:09.357", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-06-11T19:16:44.160", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vim/vim/commit/f08ab2f4d7d2947c8dd6c179ae08ee6146a2694b"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/vim/vim/releases/tag/v9.2.0495"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/vim/vim/security/advisories/GHSA-crm5-rh6j-2c7c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "vim: Vim: Arbitrary Code Execution via crafted directory names", "id": "2487964", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487964"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-140", "details": ["Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.", "A flaw was found in Vim, an open-source text editor. This vulnerability, located in the netrw plugin, involves a code injection issue when the editor processes directory paths. A malicious directory name, if crafted by an attacker, could bypass security measures and allow for the execution of unauthorized commands. This could lead to arbitrary code execution on the affected system."], "name": "CVE-2026-47162", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-06-11T18:32:14Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-47162\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-47162\nhttps://github.com/vim/vim/commit/f08ab2f4d7d2947c8dd6c179ae08ee6146a2694b\nhttps://github.com/vim/vim/releases/tag/v9.2.0495\nhttps://github.com/vim/vim/security/advisories/GHSA-crm5-rh6j-2c7c"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.2.0495)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vim", "source": "cna", "vendor": "vim"}, "product": "vim", "vendor": "vim"}], "created": "2026-06-11T21:15:07.130251+00:00", "updated": "2026-06-30T02:00:05.105380+00:00", "vendors": ["vim", "vim$PRODUCT$vim"]}