Vim
By the Year
In 2021 there have been 5 vulnerabilities in Vim with an average score of 7.2 out of ten. Last year Vim had 1 security vulnerability published. That is, 4 more vulnerabilities have already been reported in 2021 as compared to last year. However, the average CVE base score of the vulnerabilities in 2021 is greater by 1.94.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2021 | 5 | 7.24 |
| 2020 | 1 | 5.30 |
| 2019 | 2 | 8.20 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Vim vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Vim Security Vulnerabilities
vim is vulnerable to Heap-based Buffer Overflow
CVE-2021-3872
7.8 - High
- October 19, 2021
vim is vulnerable to Heap-based Buffer Overflow
Heap-based Buffer Overflow
vim is vulnerable to Heap-based Buffer Overflow
CVE-2021-3875
5.5 - Medium
- October 15, 2021
vim is vulnerable to Heap-based Buffer Overflow
Memory Corruption
vim is vulnerable to Use After Free
CVE-2021-3796
7.3 - High
- September 15, 2021
vim is vulnerable to Use After Free
Dangling pointer
vim is vulnerable to Heap-based Buffer Overflow
CVE-2021-3778
7.8 - High
- September 15, 2021
vim is vulnerable to Heap-based Buffer Overflow
Heap-based Buffer Overflow
vim is vulnerable to Heap-based Buffer Overflow
CVE-2021-3770
7.8 - High
- September 06, 2021
vim is vulnerable to Heap-based Buffer Overflow
Memory Corruption
In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g
CVE-2019-20807
5.3 - Medium
- May 28, 2020
In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua).
Shell injection
The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.
CVE-2019-20079
7.8 - High
- December 30, 2019
The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.
Dangling pointer
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6
CVE-2019-12735
8.6 - High
- June 05, 2019
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.
Shell injection
