CVE-2026-52860

Description

Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.

• How can I get the fixes?
• What do statuses mean?
• Patch details

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Patch details

Severity score breakdown

CVSS version: CVSS v4.0 CVSS v4.0 CVSS v3.0

References

• MITRE
• NVD
• Launchpad
• Debian

Related Ubuntu Security Notices (USN)

• USN-8451-1
• Vim vulnerabilities
• 18 June 2026

Other references

• https://www.cve.org/CVERecord?id=CVE-2026-52860
• https://github.com/vim/vim/security/advisories/GHSA-65p9-mwwx-7468
• https://github.com/vim/vim/commit/c8c63673bc4253212820626aeeb75999d9a539d2
• https://github.com/vim/vim/releases/tag/v9.2.0597
• https://github.com/vim/vim/security/advisories/GHSA-52mc-rq6p-rc7c