Three vulnerabilities in Vim could allow arbitrary command execution or denial of service: CVE-2026-42307 (CVSS 4.4) via malicious URL schemes in the netrw plugin, CVE-2026-44656 (CVSS 5.3) via command-line completion for the :find command, and CVE-2026-45130 (CVSS 6.6) via loading spell files. All Vim versions prior to 9.2.0450 are affected, with specific fixes applied in versions 9.2.0383, 9.2.0435, and 9.2.0450 respectively. Users must upgrade to Vim version 9.2.0450 or later to remediate all issues.
Joshua Rogers discovered that Vim incorrectly handled certain URL schemes in the netrw plugin. An attacker could possibly use this issue to execute arbitrary commands. (CVE-2026-42307) It was discovered that Vim incorrectly handled command-line completion for the :find command. An attacker could possibly use this issue to execute arbitrary commands. (CVE-2026-44656) Daniel Cervera discovered that Vim incorrectly handled loading spell files. An attacker could possibly use this issue to cause a denial of service, or to execute arbitrary code. (CVE-2026-45130)