2450907 – (CVE-2026-33412) CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function

Bug 2450907 (CVE-2026-33412) - CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function

Summary: CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in gl...

Keywords:
Status:	NEW
Alias:	CVE-2026-33412
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2451022
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-24 20:02 UTC by OSIDB Bzimport
Modified:	2026-03-24 22:19 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-24 20:02:45 UTC

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.

Note You need to log in before you can comment on or make changes to this bug.