UBUNTU-CVE-2026-11487

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-11487

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-11487.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-11487

Upstream

CVE-2026-11487

Published

2026-06-08T05:16:00Z

Modified

2026-06-12T09:04:03.174037380Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
1.9 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

A flaw has been found in Neovim up to 0.12.2. Affected by this issue is the function M.read of the file runtime/lua/vim/secure.lua of the component View Branch. Executing a manipulation of the argument path can lead to command injection. It is possible to launch the attack on the local host. The exploit has been published and may be used. This patch is called f83e0dcaf8cf18de94828341b0a1a61a86c75baf. A patch should be applied to remediate this issue.

References

Affected packages

Ubuntu:20.04:LTS

neovim

Package

Name: neovim
Purl: pkg:deb/ubuntu/neovim?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.3.8-1

0.4.3-3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.4.3-3",
            "binary_name": "neovim"
        },
        {
            "binary_version": "0.4.3-3",
            "binary_name": "neovim-runtime"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-11487.json"

Ubuntu:22.04:LTS

neovim

Package

Name: neovim
Purl: pkg:deb/ubuntu/neovim?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.4.4-1

0.5.1-1

0.6.0-1

0.6.1-1

0.6.1-2

0.6.1-3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.6.1-3",
            "binary_name": "neovim"
        },
        {
            "binary_version": "0.6.1-3",
            "binary_name": "neovim-runtime"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-11487.json"

Ubuntu:24.04:LTS

neovim

Package

Name: neovim
Purl: pkg:deb/ubuntu/neovim?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.7.2-7

0.7.2-8

0.9.5-6ubuntu1

0.9.5-6ubuntu2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.9.5-6ubuntu2",
            "binary_name": "neovim"
        },
        {
            "binary_version": "0.9.5-6ubuntu2",
            "binary_name": "neovim-runtime"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-11487.json"

Ubuntu:25.10

neovim

Package

Name: neovim
Purl: pkg:deb/ubuntu/neovim?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.9.5-10

0.10.4-8build2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.10.4-8build2",
            "binary_name": "neovim"
        },
        {
            "binary_version": "0.10.4-8build2",
            "binary_name": "neovim-runtime"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-11487.json"

Ubuntu:26.04:LTS

neovim

Package

Name: neovim
Purl: pkg:deb/ubuntu/neovim?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.10.4-8build2

0.11.4-3

0.11.4-4

0.11.5-2

0.11.5-3

0.11.6-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.11.6-1",
            "binary_name": "neovim"
        },
        {
            "binary_version": "0.11.6-1",
            "binary_name": "neovim-runtime"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-11487.json"

Ubuntu:Pro:18.04:LTS

neovim

Package

Name: neovim
Purl: pkg:deb/ubuntu/neovim?arch=source&distro=esm-apps%2Fbionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.2.0-3build2

0.2.2-2

0.2.2-3

0.2.2-3ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.2.2-3ubuntu0.1~esm1",
            "binary_name": "neovim"
        },
        {
            "binary_version": "0.2.2-3ubuntu0.1~esm1",
            "binary_name": "neovim-runtime"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-11487.json"