CVE-2026-28417: CVE-2026-28417: OS Command Injection in Vim netrw Plugin

CVE-2026-28417: OS Command Injection in Vim netrw Plugin

Vulnerability ID: CVE-2026-28417
CVSS Score: 4.4
Published: 2026-02-27

An OS command injection vulnerability exists within the bundled netrw plugin of the Vim text editor. Insufficient validation of URI hostnames allows local attackers to execute arbitrary shell commands when a user interacts with a crafted payload.

TL;DR

Vim versions prior to 9.2.0073 improperly sanitize hostname components in the netrw plugin. This oversight permits OS command injection via unescaped shell metacharacters during remote file operations, leading to arbitrary code execution under the user's privileges.

---

⚠️ Exploit Status: POC

Technical Details

• Vulnerability Class: OS Command Injection (CWE-78)
• Attack Vector: Local (User Interaction Required)
• CVSS v3.1 Score: 4.4 (Medium)
• EPSS Score: 0.00012 (1.80%)
• Impact: Arbitrary Code Execution under user process context
• Exploitation Status: Proof-of-Concept Available
• CISA KEV: Not Listed

Affected Systems

• Vim versions prior to 9.2.0073
• Vim netrw standard plugin
• Vim: < 9.2.0073 (Fixed in: 9.2.0073)

Mitigation Strategies

• Software Update
• Configuration Workaround
• Input Validation

Remediation Steps:

1. Identify all systems running Vim versions prior to 9.2.0073.
2. Update Vim packages to version 9.2.0073 or later using the system package manager.
3. If patching is impossible, append let g:loaded_netrw = 1 and let g:loaded_netrwPlugin = 1 to the global or user .vimrc to disable the netrw plugin.
4. Restart any active Vim sessions to ensure configuration changes apply.

References

• Release Notes
• GitHub Advisory GHSA-m3xh-9434-g336
• Mailing List Advisory
• NVD Detail

---

Read the full report for CVE-2026-28417 on our website for more details including interactive diagrams and full exploit analysis.