Bug 2498868 (CVE-2026-59858) - CVE-2026-59858 vim: Vim: Arbitrary command execution via crafted tags file in C omni-completion
Summary: CVE-2026-59858 vim: Vim: Arbitrary command execution via crafted tags file in...
Keywords:
Status: NEW
Alias: CVE-2026-59858
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2499648
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-09 23:02 UTC by OSIDB Bzimport
Modified: 2026-07-13 12:53 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-09 23:02:05 UTC
Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.


Note You need to log in before you can comment on or make changes to this bug.