CVE-2026-47167: Vim: Vimscript Code Injection in cucumber filetype plugin via crafted step-definition regex

Q: What is the severity of CVE-2026-47167?

CVE-2026-47167 has a medium severity rating of 5.1 according to the CVSS score.

Q: How do I fix CVE-2026-47167?

To fix CVE-2026-47167, upgrade to Vim version 9.2.0496 or later where the vulnerability has been addressed.

Q: What type of vulnerability is CVE-2026-47167?

CVE-2026-47167 is a code injection vulnerability affecting the cucumber filetype plugin in Vim.

Q: Which Vim versions are affected by CVE-2026-47167?

CVE-2026-47167 affects Vim versions prior to 9.2.0496 that are built with +ruby support.

Q: What is the attack vector for CVE-2026-47167?

The attack vector for CVE-2026-47167 is local, as it requires the attacker to have access to the affected Vim installation.

Published Jun 11, 2026

Updated

Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features// or stories// directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.

Other sources

Vim: Vimscript Code Injection in cucumber filetype plugin via crafted step-definition regex

— Microsoft

Affected Software

2 affected componentsFixes available

vim Vim<9.2.0496

Microsoft azl3 vim 9.2.0488-1

Patch available

Event History

Jun 11, 2026

CVE Published

via MITRE·06:31 PM

Data Sourced

via MITRE·06:31 PM

DescriptionWeakness

Data Sourced

via NVD·07:16 PM

DescriptionSeverityWeakness

Jun 13, 2026

Data Sourced

via Microsoft·08:01 AM

DescriptionSeverityWeaknessAffected Software

Updated

via Microsoft·08:01 AM

DescriptionSeverity

Frequently Asked Questions

What is the severity of CVE-2026-47167?

CVE-2026-47167 has a medium severity rating of 5.1 according to the CVSS score.

How do I fix CVE-2026-47167?

To fix CVE-2026-47167, upgrade to Vim version 9.2.0496 or later where the vulnerability has been addressed.

What type of vulnerability is CVE-2026-47167?

CVE-2026-47167 is a code injection vulnerability affecting the cucumber filetype plugin in Vim.

Which Vim versions are affected by CVE-2026-47167?

CVE-2026-47167 affects Vim versions prior to 9.2.0496 that are built with +ruby support.

What is the attack vector for CVE-2026-47167?

The attack vector for CVE-2026-47167 is local, as it requires the attacker to have access to the affected Vim installation.

CVE-2026-47167: Vim: Vimscript Code Injection in cucumber filetype plugin via crafted step-definition regex

Other sources

Affected Software

Event History

Don't miss critical vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2026-47167?

How do I fix CVE-2026-47167?

What type of vulnerability is CVE-2026-47167?

Which Vim versions are affected by CVE-2026-47167?

What is the attack vector for CVE-2026-47167?

Company

Resources

Contact

Frequently Asked Questions

What is the severity of CVE-2026-47167?

How do I fix CVE-2026-47167?

What type of vulnerability is CVE-2026-47167?

Which Vim versions are affected by CVE-2026-47167?

What is the attack vector for CVE-2026-47167?