HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47162Published Modified CNA GitHub_M

CVE-2026-47162: Vim: Vimscript Code Injection in netrw NetrwBookHistSave() via crafted directory name

Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.

Metrics

CVSS v4.0
7.3
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Vimscript code injection in Vim's netrw plugin allows an attacker to embed arbitrary Vimscript in a crafted directory name, which gets written unescaped to the ~/.vim/.netrwhist history file and executed the next time Vim sources that file. Reaching this vulnerability requires network access (netrw browses remote paths), a low-privilege account, and a victim opening Vim after visiting a malicious directory. Successful exploitation gives the attacker full code execution in the Vim process context, including shell command access via system() and :!. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-47162 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Vim or its netrw plugin. Any image containing a vulnerable vim package version below 9.2.0495 will surface in scan results automatically.

Available
Triage

HarborGuard scores this CVE at 7.3 HIGH using the CVSS v4.0 vector and weights findings against each environment's compliance policy to determine urgency routing. Triage results are delivered to the inbox or ticketing integration configured for the relevant team within each customer organization.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released upstream. In the interim, customers can use HarborGuard's policy controls to flag or block promotion of images containing the affected vim package through their pipelines.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must serve a crafted directory name over the network to a victim browsing remote paths via netrw, requiring the victim's Vim instance to reach an attacker-controlled network location.

  • AuthenticationRequired

    The CVSS vector specifies PR:L, meaning the attacker needs at least a low-privilege account or equivalent access to stage or serve the malicious directory structure.

  • Victim interactionRequired

    The CVSS vector specifies UI:A, meaning the victim must actively browse the attacker-controlled directory with netrw and then reopen Vim so that the poisoned history file is sourced.

  • Attack complexityDetail

    The CVSS vector specifies AC:L but AT:P, meaning the exploit logic itself is straightforward and reliable, but specific target conditions (such as the victim having netrw history enabled and sourcing the history file) must be in place.

Blast Radius

  • Reads files accessible to the Vim process owner, including SSH keys, shell history, and local credentials stored in dot-files.
  • Modifies files writable by the Vim process owner, including shell configuration files that could establish persistence.
  • Executes arbitrary shell commands in the context of the logged-in user via Vimscript system() or :! at the moment the history file is sourced.

How HarborGuard Handles This

Available on HarborGuard: because no patched version of vim has been published upstream, automated image rebuilds are not yet available for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will trigger patched-image rebuild availability and, for customers with auto-remediation enabled, a regression-test run and a PR opened against affected workloads as soon as upstream ships the fix. Until then, customers can apply compensating controls through HarborGuard's policy engine: blocking pipeline promotion of images containing vim versions below 9.2.0495, isolating workloads that run Vim against untrusted remote paths using network policy, and disabling or removing the netrw plugin in images where remote browsing is not required. Severity routing for this HIGH-scored finding is available now so the right team inside each organization receives the alert without delay.

See how HarborGuard automates this
Affected packages
  • vim / vim
    < 9.2.0495
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References