CVE-2025-66476

Dec. 3, 2025, 1:15 a.m.

7.8
High

Description

Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947.

Product(s) Impacted

Vendor Product Versions
Vim
  • Vim
  • <9.1.1947

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-427
Uncontrolled Search Path Element
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a vim vim <9.1.1947 / / / / / / /

References

https://github.com/vim/vim/commit/083ec6d9a3b7b09006e0ce69ac802597d25
https://github.com/vim/vim/releases/tag/v9.1.1947
https://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834
http://www.openwall.com/lists/oss-security/2025/12/02/5

Tags

security-advisories@github.com
CWE-427
2025-12-02
CVE-2025-66476

CVSS Score

7.8 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: Dec. 2, 2025, 10:16 p.m.
Last Modified: Dec. 3, 2025, 1:15 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.