CVE-2026-57456 | Vim is an open source, command line text editor. Prior to 9.… | CVSS 8.4 HIGH

Description

Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.

Metadata

CVE ID: CVE-2026-57456
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-24 13:21 UTC
Published: 2026-06-25 15:16 UTC
Last updated: 2026-06-25 17:42 UTC
Primary CWE: CWE-94
CWE-94: Improper Control of Generation of Code ('Code Inject…
Vendor / Product: vim / vim
Sources: cve.org · NVD

Severity & Metrics

8.4 HIGH CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
vim	vim	—	< 9.2.0699

Weakness (CWE)

CWE	Source	Description
CWE-94	cna	CWE-94: Improper Control of Generation of Code ('Code Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.4	HIGH	4.0	cna	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (3)

https://github.com/vim/vim/security/advisories/GHSA-ppj8-wqjf-6fp3 https://github.com/vim/vim/security/advisories/GHSA-ppj8-wqjf-6fp3
https://github.com/vim/vim/commit/cce141c42740f122dd8486ae04e21c2a81016ba8 https://github.com/vim/vim/commit/cce141c42740f122dd8486ae04e21c2a81016ba8
https://github.com/vim/vim/releases/tag/v9.2.0699 https://github.com/vim/vim/releases/tag/v9.2.0699