CVE-2026-39881

Description

Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.

How to fix CVE-2026-39881

To remediate CVE-2026-39881, upgrade the affected package to a fixed version below.

—upgrade to 9.2.0321-r0 or later
—no fix listed

Is CVE-2026-39881 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 9.2.0321-r0
from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2026-39881
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-39881