Description

Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947.

INFO

Published Date :

2025-12-02T21:49:24.672Z

Last Modified :

2026-02-26T16:57:37.255Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-66476 vulnerability.

Vendors Products
Microsoft
  • Windows
Vim
  • Vim
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66476.

URL Resource
http://www.openwall.com/lists/oss-security/2025/12/02/5 cve-icon
https://github.com/vim/vim/commit/083ec6d9a3b7b09006e0ce69ac802597d25 cve-icon cve-icon cve-icon
https://github.com/vim/vim/releases/tag/v9.1.1947 cve-icon cve-icon cve-icon
https://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-66476 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-66476 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact