CVE-2026-52860

CVE Database · CVE-2026-52860

CVE-2026-52860

· HIGHAnalyzed

CVSS v3.1

7.8

CVSS v4.0

7.5

EPSS

0.23%

Published

Jun 11, 2026

Modified

Jun 15, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-94

Affected Products (1)

vim · vim (up to 9.2.0597)vulnerable

References (4)

https://github.com/vim/vim/commit/c8c63673bc4253212820626aeeb75999d9a539d2

Patch

https://github.com/vim/vim/releases/tag/v9.2.0597

Product

https://github.com/vim/vim/security/advisories/GHSA-52mc-rq6p-rc7c

MitigationVendor Advisory

https://github.com/vim/vim/security/advisories/GHSA-65p9-mwwx-7468

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs