vim-9.2.0383 or later

[Douglas R. Reno]

New point version that fixes a security vulnerability:

Command injection via backtick expansion in tag filenames in Vim < v9.2.0357
============================================================================
Date: 15.04.2026
Severity: Medium
CVE: *requested, not yet assigned*
CWE: Improper Neutralization of Special Elements used in an OS Command
     ('OS Command Injection') (CWE-78)

## Summary
A command injection vulnerability exists in Vim's tag file processing.
When resolving a tag, the filename field from the tags file is passed
through wildcard expansion to resolve environment variables and wildcards.
If the filename field contains backtick syntax (e.g., `` `command` ``), Vim
executes the embedded command via the system shell with the full privileges of
the running user.

## Description
Vim includes built-in support for tag navigation (`:tag`, `Ctrl-]`).
When a tag is resolved, `jumpto_tag()` calls `expand_tag_fname()` to
resolve the filename field of the matching tags file entry.
`expand_tag_fname()` passes this filename to `ExpandOne()`, which
performs wildcard expansion. Because backtick characters cause
`mch_has_wildcard()` to return TRUE, `ExpandOne()` calls
`expand_backtick()`, which invokes `get_cmd_output()` and executes the
backtick-embedded string as a shell command.

A malicious tags file entry of the form:

    main	`touch /tmp/pwned`	/^int main(int argc, char **argv) {$/;"	f

is sufficient to trigger execution when the user navigates to the `main`
tag.

Exploitation requires the following conditions:
- The user opens Vim in a directory containing a malicious `tags` file,
  or has configured additional tag sources via `set tags+=...`.
- The user performs tag navigation (`:tag`, `Ctrl-]`, or `vim -t`) for a
  malicious tag target.

Tag files in the working directory are consulted by default, making
repository-hosted `tags` files (e.g. in a cloned git repository) a
plausible delivery mechanism.

## Impact
Impact is **medium** because exploitation requires the user to perform
tag navigation, but no further confirmation or interaction is needed
once that navigation is triggered. Successful exploitation results in
arbitrary shell command execution with the privileges of the Vim
process.

## Acknowledgements
The Vim project would like to thank Srinivas Piskala Ganesh Babu and
Andy Ngo for identifying the vulnerability, providing a call graph
analysis and proof-of-concept reproduction.

## References
The issue has been fixed as of Vim patch [v9.2.0357](https://github.com/vim/vim/releases/tag/v9.2.0357).
- [Commit](https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb)
- [GitHub Advisory](https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8)

[Joe Locash]

OS Command Injection in netrw affects Vim < 9.2.0383
=====================================================
Date: 21.04.2026
Severity: Medium
CVE: *requested, not yet assigned*
CWE: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

## Summary
An OS command injection vulnerability exists in the `netrw` standard
plugin bundled with Vim. By inducing a user to open a crafted URL (e.g.,
using the `sftp://` or `file://` protocol handlers), an attacker can
execute arbitrary shell commands with the privileges of the Vim process.

## Description
When Netrw processes remote or local URLs such as `sftp://host/path` or
`file://host/path`, it may create temporary files to store transferred
content. The temporary file name is derived in part from the original
file name, including its suffix.

The vulnerability exists because the suffix extraction logic in
`s:GetTempfile()` previously allowed arbitrary characters after the `.` 
in a filename. This permitted shell metacharacters (e.g., `;`, `|`, `&`) 
to be embedded in the suffix and propagated into the generated temporary 
file name.

Since this temporary file name was passed to external commands (such as
`sftp` or configured file handlers) without proper escaping, attackers 
could inject arbitrary shell commands. 

## Impact
The vulnerability allows for arbitrary shell command execution in the 
context of the Vim process. Exploitation requires the user to open a 
specially crafted URL, and the injected payload is typically visible in 
the filename, making stealthy exploitation less likely. Therefore, the 
severity is rated medium.

## Acknowledgements
The Vim project would like to thank Joshua Rogers of [AISLE Research 
Team](https://aisle.com/) for reporting the issue.

## References
The issue has been fixed as of Vim patch [v9.2.0383](https://github.com/vim/vim/releases/tag/v9.2.0383).
- [Commit](https://github.com/vim/vim/commit/405e2fb6d54d5653523809e2853d99d1c000a5fc)
- [Github Security Advisory](https://github.com/vim/vim/security/advisories/GHSA-85ch-p2qr-m5gx)

[Bruce Dubbs]

Fixed at commit bdd621f288. Leaving open for security advisory.

[Douglas R. Reno]

SA-13.0-063 issued