Medium severity6.6NVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026

CVE-2026-41411

Description

Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., command), Vim executes the embedded command via the system shell with the full privileges of the running user.

Affected products

Vim/Vim
cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*
Range: <9.2.0357

Patches

c78194e41d5a

patch 9.2.0357: [security]: command injection via backticks in tag files

https://github.com/vim/vimChristian BrabandtApr 15, 2026via nvd-ref

commit

3 files changed · +27 −1

src/tag.c+3 −1 modified

@@ -4137,8 +4137,10 @@ expand_tag_fname(char_u *fname, char_u *tag_fname, int expand)
 
     /*
      * Expand file name (for environment variables) when needed.
+     * Disallow backticks, they could execute arbitrary shell
+     * commands.  This is not needed for tag filenames.
      */
-    if (expand && mch_has_wildcard(fname))
+    if (expand && mch_has_wildcard(fname) && vim_strchr(fname, '`') == NULL)
     {
 	ExpandInit(&xpc);
 	xpc.xp_context = EXPAND_FILES;

src/testdir/test_tagjump.vim+22 −0 modified

@@ -1693,4 +1693,26 @@ func Test_tag_excmd_with_number_vim9script()
   bwipe!
 endfunc
 
+" Test that backtick expressions in tag filenames are not expanded.
+" This prevents command injection via malicious tags files.
+func Test_tag_backtick_filename_not_expanded()
+  let pwned_file = 'Xtags_pwnd'
+  call assert_false(filereadable(pwned_file))
+
+  let tagline = "main\t`touch " .. pwned_file .. "`\t/^int main/;\"\tf"
+  call writefile([tagline], 'Xbt_tags', 'D')
+  call writefile(['int main(int argc, char **argv) {', '}'], 'Xbt_main.c', 'D')
+
+  set tags=Xbt_tags
+  sp Xbt_main.c
+
+  " The :tag command should fail to find the file, but must NOT execute
+  " the backtick shell command.
+  call assert_fails('tag main', 'E429:')
+  call assert_false(filereadable(pwned_file))
+
+  set tags&
+  bwipe!
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab

src/version.c+2 −0 modified

@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    357,
 /**/
     356,
 /**/

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fbnvdPatch
github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8nvdPatchVendor Advisory
github.com/vim/vim/releases/tag/v9.2.0357nvdProduct

News mentions

No linked articles in our index yet.

cvss	0.429
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000