Medium severity5.3NVD Advisory· Published May 8, 2026· Updated May 14, 2026
CVE-2026-44656
CVE-2026-44656
Description
Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
8- osv-coords7 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Tumbleweedpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4
< 9.2.0530-1.1+ 6 more
- (no CPE)range: < 9.2.0530-1.1
- (no CPE)range: < 9.2.0530-150000.5.94.1
- (no CPE)range: < 9.2.0530-150000.5.94.1
- (no CPE)range: < 9.2.0530-150000.5.94.1
- (no CPE)range: < 9.2.0530-150000.5.94.1
- (no CPE)range: < 9.2.0530-150000.5.94.1
- (no CPE)range: < 9.2.0530-150000.5.94.1
Patches
Vulnerability mechanics
References
3News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026