Vim 9.2.0072 netrw CMD-INJ via scp://
CVE-2026-28417 Published on February 27, 2026
Vim has OS Command Injection in netrw
Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.
Vulnerability Analysis
CVE-2026-28417 can be exploited with local system access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
Improper Neutralization of Invalid Characters in Identifiers in Web Pages
The software does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers. Some web browsers may remove these sequences, resulting in output that may have unintended control implications. For example, the software may attempt to remove a "javascript:" URI scheme, but a "java%00script:" URI may bypass this check and still be rendered as active javascript by some browsers, allowing XSS or other attacks.
Products Associated with CVE-2026-28417
stack.watch emails you whenever new vulnerabilities are published in Vim or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
vim Version < 9.2.0073 is affected by CVE-2026-28417Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.