CVE-2026-34714: Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.

Overview

Severity
Critical (CVSS 9.2)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L/E:U
Exploit Status
Not Exploited
Patch Tuesday
2026-Mar
Released
2026-04-01
Last Updated
2026-04-08
EPSS Score
0.59% (percentile: 43.7%)

Affected Products (2)

Other

  • 21163-17086
  • 21147-17084

Revision History

  • 2026-04-01: Information published.
  • 2026-04-02: Information published.
  • 2026-04-08: Information published.