Netbeans command injection in Vim < v9.2.0316

Date: 07.04.2026
Severity: Medium
CVE: CVE-2026-39881
CWE: Improper Neutralization of Special Elements used in an OS Command (CWE-78)

Summary

A command injection vulnerability in Vim's netbeans interface allows a malicious
netbeans server to execute arbitrary Ex commands when Vim connects to it, via
unsanitized strings in the defineAnnoType and specialKeys protocol messages.

Description

Vim includes a netbeans interface (:help netbeans) which allows an external
editor server to communicate with Vim over a TCP connection. The interface
handles a defineAnnoType message that defines sign and highlight group names,
and a specialKeys message that defines key mappings.

In defineAnnoType, the typeName, fg, and bg fields are interpolated
directly into Ex commands via coloncmd() without sanitization. Because Vim
interprets | as a command separator in Ex commands, a malicious server can
inject arbitrary Ex commands by embedding |cmd| in any of these fields.

Similarly, in specialKeys, key tokens are passed unsanitized into a map
command string, allowing injection via characters such as | or <.

Exploitation requires:

• The user starts Vim with the -nb flag pointing to a server controlled by
  the attacker (e.g. vim -nb:localhost:PORT:pwd file).
• The attacker's server sends a malicious defineAnnoType or specialKeys
  message after the connection handshake.

Impact

Impact is medium. Exploitation requires the user to connect to a malicious
netbeans server, but once connected, arbitrary Ex commands could be executed,
although Vim may output error messages. This can lead to arbitrary file reads
and writes, or further code execution via Ex commands such as :call system().

Acknowledgements

The Vim project would like to thank Github user @Wang1rrr for identifying the
vulnerability.

References

The issue has been fixed as of Vim patch v9.2.0316.

• Commit
• GitHub Advisory