Medium severity5.3NVD Advisory· Published May 8, 2026· Updated May 14, 2026
CVE-2026-44656
CVE-2026-44656
Description
Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.
Affected products
2Patches
1190cb3c2b9c7patch 9.2.0435: [security]: backticks in 'path' may cause shell execution on completion
6 files changed · +42 −2
runtime/doc/options.txt+4 −1 modified@@ -1,4 +1,4 @@ -*options.txt* For Vim version 9.2. Last change: 2026 May 01 +*options.txt* For Vim version 9.2. Last change: 2026 May 03 VIM REFERENCE MANUAL by Bram Moolenaar @@ -6799,6 +6799,9 @@ A jump table for the options with a short description can be found at |Q_op|. < Replace the ';' with a ':' or whatever separator is used. Note that this doesn't work when $INCL contains a comma or white space. + This option cannot be set from a |modeline| or in the |sandbox|, for + security reasons. + *'perldll'* 'perldll' string (default depends on the build) global
src/findfile.c+4 −0 modified@@ -2412,6 +2412,10 @@ expand_path_option( { buflen = copy_option_part(&path_option, buf, MAXPATHL, " ,"); + // do not expand backticks, could have been set via a modeline + if (vim_strchr(buf, '`') != NULL) + continue; + if (buf[0] == '.' && (buf[1] == NUL || vim_ispathsep(buf[1]))) { size_t plen;
src/optiondefs.h+1 −1 modified@@ -1958,7 +1958,7 @@ static struct vimoption options[] = (char_u *)&p_pm, PV_NONE, did_set_backupext_or_patchmode, NULL, {(char_u *)"", (char_u *)0L} SCTX_INIT}, - {"path", "pa", P_STRING|P_EXPAND|P_VI_DEF|P_COMMA|P_NODUP, + {"path", "pa", P_STRING|P_EXPAND|P_VI_DEF|P_SECURE|P_COMMA|P_NODUP, (char_u *)&p_path, PV_PATH, NULL, NULL, { #if defined(AMIGA) || defined(MSWIN)
src/testdir/test_find_complete.vim+17 −0 modified@@ -161,4 +161,21 @@ func Test_find_complete() set path& endfunc +" Verify that backticks in 'path' are not executed +func Test_find_completion_backtick_in_path() + CheckUnix + CheckExecutable id + + new Xpoc.c + setl path+=`id>Xrce_marker` + " Triggering completion must not execute the backtick command. + call getcompletion('', 'file_in_path') + call assert_false(filereadable('Xrce_marker')) + call feedkeys(":find \t\n", "xt") + call assert_false(filereadable('Xrce_marker')) + + bwipe! + call delete('Xrce_marker') +endfunc + " vim: shiftwidth=2 sts=2 expandtab
src/testdir/test_modeline.vim+14 −0 modified@@ -665,4 +665,18 @@ func Test_modeline_strict_cannot_be_set_from_modeline() let &modeline = modeline endfunc +" Verify that backticks in 'path' set from a modeline are not executed +func Test_path_modeline() + let lines =<< trim END + // vim: set path+=foobar : + END + call writefile(lines, 'Xpoc.c', 'D') + + set nomodelinestrict modeline + call assert_fails('split Xpoc.c', 'E520:') + + bwipe! + set modelinestrict& modeline& +endfunc + " vim: shiftwidth=2 sts=2 expandtab
src/version.c+2 −0 modified@@ -729,6 +729,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 435, /**/ 434, /**/
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026