Vim <9.2.0735: Command Injection via C omnicompletion tags
CVE-2026-59858 Published on July 9, 2026

Vim: Arbitrary Code Execution via C Omni-Completion
Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.

NVD

Weakness Type

What is a Code Injection Vulnerability?

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE-2026-59858 has been classified to as a Code Injection vulnerability or weakness.


Products Associated with CVE-2026-59858

stack.watch emails you whenever new vulnerabilities are published in Vim or Canonical Ubuntu Linux. Just hit a watch button to start following.

Vim
 
 

Affected Versions

vim Version < 9.2.0735 is affected by CVE-2026-59858