CVE-2026-33412

Description

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.

How to fix CVE-2026-33412

To remediate CVE-2026-33412, upgrade the affected package to a fixed version below.

—upgrade to 9.2.0219-r0 or later
—no fix listed

Is CVE-2026-33412 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 9.2.0219-r0
from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.3	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2026-33412
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-33412