CVE-2026-42307

Description

Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.

How to fix CVE-2026-42307

To remediate CVE-2026-42307, upgrade the affected package to a fixed version below.

—upgrade to 9.2.0389-r0 or later
—no fix listed

Is CVE-2026-42307 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 9.2.0389-r0
from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.4	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2026-42307
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-42307