highCVE-2026-59858

CVE-2026-59858 Vim vulnerability

Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.

ProductVim
CVSS8.4
EPSS0.00137
UpdatedJuly 12, 2026

Quick answer

Vim should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Vim before 9.2.0735

Fixed versions

  • 9.2.0735

How to fix it

CVE-2026-59858 affects Vim before 9.2.0735 where C omni-completion can execute arbitrary Ex commands from crafted tags fields when a user opens a hostile C project and invokes completion. Prioritize developer workstations, build hosts, jump boxes, and environments where users open untrusted source trees, spell files, or tags files. Upgrade Vim to 9.2.0735 or a later patched package from the OS vendor or upstream. Avoid invoking omni-completion in untrusted C projects and disable untrusted project tags until patched.

  1. Inventory Vim installations on developer workstations, servers, containers, CI images, jump hosts, and base images.
  2. Identify Vim versions before 9.2.0735 and determine whether the OS vendor package backports the relevant upstream patch.
  3. Upgrade Vim to 9.2.0735 or a later patched package, then rebuild affected base images and development containers.
  4. Avoid invoking omni-completion in untrusted C projects and disable untrusted project tags until patched.
  5. Reduce trust in project-local tags, completion scripts, modelines, spell files, and plugin-provided runtime files for repositories from untrusted sources.
  6. Review shell history, editor logs, endpoint telemetry, and suspicious project files for unexpected Ex commands, shell escapes, or crashes.
  7. If code execution is suspected, preserve the malicious project, rotate affected credentials, and rebuild compromised developer environments.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm vim --version or package metadata reports Vim 9.2.0735 or a vendor-patched later build.
  • Confirm Vim patch level is 9.2.0735 or later and crafted typeref/typename tags are escaped.
  • Confirm patched completion or spell workflows handle crafted inputs without executing commands or corrupting memory.
  • Rerun OS package, container, and endpoint vulnerability scans to confirm vulnerable Vim builds are gone.
  • Document patched versions, rebuilt images, user guidance, and any incident evidence.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-59858?

Vim versions listed as affected should be reviewed: Vim before 9.2.0735.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.