Strix
26.1K

CVE-2026-42307

MEDIUMCVSS 4.4/10EPSS 0.77%

Last modified

CVE-2026-42307 is a medium-severity vulnerability rated 4.4/10 on the CVSS scale. Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. EPSS estimates a 0.77% chance of exploitation in the next 30 days.

Description

Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.

Metrics

CVSS 3.1
4.4/10

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS Probability
0.77%

51.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
VimVim< 9.2.0383

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2026-42307?
Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.
How severe is CVE-2026-42307?
CVE-2026-42307 has a CVSS score of 4.4/10 (MEDIUM severity). The EPSS model estimates a 0.77% probability of exploitation in the next 30 days.
How do I fix CVE-2026-42307?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-42307?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST