Arbitrary Code Injection Affecting vim-minimal package, versions *


Severity

Recommended
0.0
high
0
10

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

EPSS
0.15% (5th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL10-VIMMINIMAL-17770901
  • published2 Jul 2026
  • disclosed25 Jun 2026

Introduced: 25 Jun 2026

NewCVE-2026-55895  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

There is no fixed version for RHEL:10 vim-minimal.

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim-minimal package and not the vim-minimal package as distributed by RHEL. See How to fix? for RHEL:10 relevant fixed versions and status.

Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.

CVSS Base Scores

version 3.1