Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN418
_____________________________________________________________________

DATE                : 23/04/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Vim versions prior to
                                   9.2.0383.

=====================================================================
https://github.com/vim/vim/security/advisories/GHSA-85ch-p2qr-m5gx
_____________________________________________________________________


OS Command Injection in netrw affects Vim < 9.2.0383
Moderate
chrisbra published GHSA-85ch-p2qr-m5gx Apr 22, 2026

Package
Vim (Vim)

Affected versions
<9.2.0383

Patched versions
9.2.0383


Description

OS Command Injection in netrw affects Vim < 9.2.0383

Date: 21.04.2026
Severity: Medium
CVE: requested, not yet assigned
CWE: Improper Neutralization of Special Elements used in an OS Command
('OS Command Injection') (CWE-78)


Summary

An OS command injection vulnerability exists in the netrw standard
plugin bundled with Vim. By inducing a user to open a crafted URL (e.g.,
using the sftp:// or file:// protocol handlers), an attacker can execute
arbitrary shell commands with the privileges of the Vim process.


Description

When Netrw processes remote or local URLs such as sftp://host/path or
file://host/path, it may create temporary files to store transferred
content. The temporary file name is derived in part from the original
file name, including its suffix.

The vulnerability exists because the suffix extraction logic in
s:GetTempfile() previously allowed arbitrary characters after the . in a
filename. This permitted shell metacharacters (e.g., ;, |, &) to be
embedded in the suffix and propagated into the generated temporary
file name.

Since this temporary file name was passed to external commands (such
as sftp or configured file handlers) without proper escaping, attackers
could inject arbitrary shell commands.


Impact

The vulnerability allows for arbitrary shell command execution in the
context of the Vim process. Exploitation requires the user to open a
specially crafted URL, and the injected payload is typically visible in
the filename, making stealthy exploitation less likely. Therefore, the
severity is rated medium.


Acknowledgements

The Vim project would like to thank Joshua Rogers of AISLE Research
Team for reporting the issue.


References

The issue has been fixed as of Vim patch v9.2.0383

    Commit
    Github Security Advisory


Severity
Moderate
4.4/ 10

CVSS v3 base metrics
Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVE ID
No known CVE

Weaknesses
Weakness CWE-78

Credits

    @MegaManSec MegaManSec Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================