Source: vim
Version: 2:9.2.0218-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for vim.
I'm still filling this as RC level, although in default configuration
modelines are disabled, feel free to adjust if you do not agree.
CVE-2026-34714[0]:
| Vim before 9.2.0272 allows code execution that happens immediately
| upon opening a crafted file in the default configuration, because
| %{expr} injection occurs with tabpanel lacking P_MLE.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-34714
https://www.cve.org/CVERecord?id=CVE-2026-34714
[1] https://github.com/vim/vim/security/advisories/GHSA-2gmj-rpqf-pxvh
[2] https://github.com/vim/vim/commit/664701eb7576edb7c7c7d9f2d600815ec1f43459
Regards,
Salvatore
