Vim before 9.2.0272 allows code execution that happens...
Critical severity
Unreviewed
Published
Mar 30, 2026
to the GitHub Advisory Database
•
Updated Jun 30, 2026
Description
Published by the National Vulnerability Database
Mar 30, 2026
Published to the GitHub Advisory Database
Mar 30, 2026
Last updated
Jun 30, 2026
Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.
References