Source: neovim Version: 0.12.3-1 Severity: important Tags: security upstream Forwarded: https://github.com/neovim/neovim/issues/39914 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for neovim. CVE-2026-11487[0]: | A flaw has been found in Neovim up to 0.12.2. Affected by this issue | is the function M.read of the file runtime/lua/vim/secure.lua of the | component View Branch. Executing a manipulation of the argument path | can lead to command injection. It is possible to launch the attack | on the local host. The exploit has been published and may be used. | This patch is called f83e0dcaf8cf18de94828341b0a1a61a86c75baf. A | patch should be applied to remediate this issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-11487 https://www.cve.org/CVERecord?id=CVE-2026-11487 [1] https://github.com/neovim/neovim/issues/39914 [2] https://github.com/neovim/neovim/pull/39918 [3] https://github.com/neovim/neovim/commit/f83e0dcaf8cf18de94828341b0a1a61a86c75baf Please adjust the affected versions in the BTS as needed. Regards, Salvatore
