Vim Code Execution Vulnerability via Crafted Files (CVE-2026-34714)
Vim versions before 9.2.0272 allow code execution upon opening a specially crafted file due to %{expr} injection in tabpanel lacking P_MLE in the default configuration, potentially leading to arbitrary code execution.
Vim, a widely used text editor, is susceptible to a critical vulnerability (CVE-2026-34714) affecting versions prior to 9.2.0272. This flaw allows for arbitrary code execution simply by opening a malicious file. The vulnerability stems from a %{expr} injection vulnerability within the tabpanel component, specifically when it lacks the P_MLE protection. The default configuration of Vim is susceptible, amplifying the risk. An attacker can craft a Vim file that, when opened, will trigger the…
Detection coverage 2
Detect Suspicious Vim File Open with Expr Injection
criticalDetects attempts to exploit the Vim %{expr} injection vulnerability by monitoring for vim processes opening files with suspicious content.
Detect Execution from Suspicious Vim Process
highDetects potential code execution originating from a Vim process, indicative of exploitation attempts.
Detection queries are kept inside the platform. Get full rules →