Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN595
_____________________________________________________________________

DATE                : 05/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Vim versions prior to 9.2.597.

=====================================================================
https://github.com/vim/vim/security/advisories/GHSA-65p9-mwwx-7468
_____________________________________________________________________


Arbitrary Code Execution via Python Omni-Completion in Vim < 9.2.597
Moderate
chrisbra published GHSA-65p9-mwwx-7468 Jun 4, 2026

Package
Vim (Vim)

Affected versions
< 9.2.0597

Patched versions
9.2.0597


Description

Arbitrary Code Execution via Python Omni-Completion in Vim < 9.2.597

Date: 2026-06-04
Severity: Medium
CVE: requested, not yet assigned
CWE: Improper Control of Generation of Code (CWE-94)


Summary

Vim's Python omni-completion executes reconstructed function and class
definitions from the current buffer with exec() as part of populating
the completion dictionary. Python evaluates function default values,
parameter annotations, and class base expressions at definition time,
so a hostile buffer can execute attacker-controlled Python expressions
during omni-completion. The existing g:pythoncomplete_allow_import
mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the
attacker-controlled code is not a harvested import/from statement.


Description

In runtime/autoload/python3complete.vim (and the legacy
pythoncomplete.vim), the omni-completion entry point calls
exec(src, self.compldict) on source reconstructed from the parsed
buffer. The reconstructed source includes function definitions whose
parameter lists are joined verbatim from tokens harvested by the
internal _parenparse() helper, which preserves default expressions
and annotations as written in the buffer. The same applies to class
base lists. When exec() runs the reconstructed def and class
statements, Python evaluates those expressions.


Impact

An attacker who can convince a user to open or edit a hostile Python
buffer and trigger Python omni-completion (CTRL-X CTRL-O, or a plugin
that invokes the completion function) can execute Python code in the
user's Vim process. The code runs with the user's privileges.

Vim built without +python3 and +python is not affected. Triggering
omni-completion in the hostile buffer is required; opening the file
alone is not sufficient.


Acknowledgements

The Vim project would like to thank github user DavidCarliez for
reporting and analyzing the issue.


References

The issue has been fixed as of Vim patch v9.2.597.

    Commit
    Github Security Advisory
    GHSA-52mc-rq6p-rc7c (prior mitigation for the same surface)


Severity
Moderate

CVE ID
No known CVE

Weaknesses
Weakness CWE-94

Credits

    @DavidCarliez DavidCarliez Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================