Low severity3.6NVD Advisory· Published May 15, 2026· Updated May 19, 2026
CVE-2026-46483
CVE-2026-46483
Description
Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
13- osv-coords11 versionspkg:apk/chainguard/vimpkg:apk/chainguard/vim-docpkg:apk/wolfi/vimpkg:apk/wolfi/vim-docpkg:rpm/opensuse/vim&distro=openSUSE%20Tumbleweedpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4
< 9.2.0480-r0+ 10 more
- (no CPE)range: < 9.2.0480-r0
- (no CPE)range: < 9.2.0500-r0
- (no CPE)range: < 9.2.0480-r0
- (no CPE)range: < 9.2.0500-r0
- (no CPE)range: < 9.2.0530-1.1
- (no CPE)range: < 9.2.0530-150000.5.94.1
- (no CPE)range: < 9.2.0530-150000.5.94.1
- (no CPE)range: < 9.2.0530-150000.5.94.1
- (no CPE)range: < 9.2.0530-150000.5.94.1
- (no CPE)range: < 9.2.0530-150000.5.94.1
- (no CPE)range: < 9.2.0530-150000.5.94.1
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.