DEBIAN-CVE-2026-33412

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-33412
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33412.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-33412
Upstream
  • CVE-2026-33412
Published
2026-03-24T20:16:29.740Z
Modified
2026-03-25T08:00:30.611527Z
Severity
  • 5.6 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N CVSS Calculator
Summary
[none]
Details

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.

References

Affected packages

Debian:11 / vim

Package

Name
vim
Purl
pkg:deb/debian/vim?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2:8.*
2:8.2.2434-3
2:8.2.2434-3+deb11u1
2:8.2.2434-3+deb11u2
2:8.2.2434-3+deb11u3
2:8.2.3455-1
2:8.2.3455-2
2:8.2.3565-1
2:8.2.3995-1
2:8.2.4659-1
2:8.2.4793-1
2:9.*
2:9.0.0135-1
2:9.0.0229-1
2:9.0.0242-1
2:9.0.0626-1
2:9.0.0813-1
2:9.0.1000-1
2:9.0.1000-2
2:9.0.1000-3
2:9.0.1000-4
2:9.0.1378-1
2:9.0.1378-2
2:9.0.1658-1
2:9.0.1672-1
2:9.0.1894-1
2:9.0.2018-1
2:9.0.2087-1
2:9.0.2103-1
2:9.0.2116-1
2:9.0.2189-1
2:9.1.0-1
2:9.1.0016-1
2:9.1.0199-1
2:9.1.0374-1
2:9.1.0377-1
2:9.1.0496-1
2:9.1.0698-1
2:9.1.0709-1
2:9.1.0709-2
2:9.1.0777-1
2:9.1.0861-1
2:9.1.0967-1
2:9.1.0967-2
2:9.1.1113-1
2:9.1.1230-1
2:9.1.1230-2
2:9.1.1385-1
2:9.1.1766-1
2:9.1.1829-1
2:9.1.1846-1
2:9.1.1882-1
2:9.1.2103-1
2:9.1.2141-1
2:9.2.0119-1
2:9.2.0136-1
2:9.2.0218-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33412.json"

Debian:12 / vim

Package

Name
vim
Purl
pkg:deb/debian/vim?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2:9.*
2:9.0.1378-2
2:9.0.1378-2+deb12u1
2:9.0.1378-2+deb12u2
2:9.0.1658-1
2:9.0.1672-1
2:9.0.1894-1
2:9.0.2018-1
2:9.0.2087-1
2:9.0.2103-1
2:9.0.2116-1
2:9.0.2189-1
2:9.1.0-1
2:9.1.0016-1
2:9.1.0199-1
2:9.1.0374-1
2:9.1.0377-1
2:9.1.0496-1
2:9.1.0698-1
2:9.1.0709-1
2:9.1.0709-2
2:9.1.0777-1
2:9.1.0861-1
2:9.1.0967-1
2:9.1.0967-2
2:9.1.1113-1
2:9.1.1230-1
2:9.1.1230-2
2:9.1.1385-1
2:9.1.1766-1
2:9.1.1829-1
2:9.1.1846-1
2:9.1.1882-1
2:9.1.2103-1
2:9.1.2141-1
2:9.2.0119-1
2:9.2.0136-1
2:9.2.0218-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33412.json"

Debian:13 / vim

Package

Name
vim
Purl
pkg:deb/debian/vim?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2:9.*
2:9.1.1230-2
2:9.1.1385-1
2:9.1.1766-1
2:9.1.1829-1
2:9.1.1846-1
2:9.1.1882-1
2:9.1.2103-1
2:9.1.2141-1
2:9.2.0119-1
2:9.2.0136-1
2:9.2.0218-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33412.json"

Debian:14 / vim

Package

Name
vim
Purl
pkg:deb/debian/vim?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2:9.*
2:9.1.1230-2
2:9.1.1385-1
2:9.1.1766-1
2:9.1.1829-1
2:9.1.1846-1
2:9.1.1882-1
2:9.1.2103-1
2:9.1.2141-1
2:9.2.0119-1
2:9.2.0136-1
2:9.2.0218-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33412.json"