CVE-2026-39881

Vim Ex command injection in Vims NetBeans integration

Description

Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.

INFO

Published Date :

2026-04-08T20:18:19.774Z

Last Modified :

2026-04-09T13:50:24.001Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-39881 vulnerability.

Vendors	Products
Vim	Vim

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39881.

URL	Resource
https://github.com/vim/vim/commit/7ab76a86048ed492374ac6b19
https://github.com/vim/vim/releases/tag/v9.2.0316
https://github.com/vim/vim/security/advisories/GHSA-mr87-rhgv-7pw6
https://nvd.nist.gov/vuln/detail/CVE-2026-39881
https://www.cve.org/CVERecord?id=CVE-2026-39881

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact