Vim <=9.2.0662 Netrw LocalRmFile Vimscript Injection
CVE-2026-55895 Published on June 25, 2026
Vim: Vimscript Code Injection in netrw NetrwLocalRmFile() via crafted filename
Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.
Weakness Types
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2026-55895 has been classified to as a Shell injection vulnerability or weakness.
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2026-55895 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2026-55895
Want to know whenever a new CVE is published for Vim? stack.watch will email you.
