Pkgs

vim

Version: 9.2.0597

The official Vim repository

Install package

min add vim

Tool c cross-platform text-editor

Updated 18 days ago

Supply chain security: 38
Advisories: 10
Quality: 25
Maintenance: 100
Licence: 100

What is "vim"?

The official Vim repository

How to use this package

Quick install

Installs the package into the current environment for this session. Use --build or --runtime to persist it as a build-time or runtime dependency.

min add vim

Declare as a task dependency in minimal.toml

Listing the package under tasks.<name>.packages makes it available inside that task’s sandbox.

[tasks.dev]
packages = ["vim"]

Build-time vs runtime

Choose build-time for tools needed during compilation, runtime for dynamic libraries loaded at runtime.

min add --build vim
min add --runtime vim

Compare versions to

Dependencies (6)

Dependencies
Name	Version	Kind
acl	2.3.2	runtime
base	—	build
make	4.4.1	build
ncurses	6.5-20250830	runtime
pkgconf	2.5.1	build
toolchain	—	build

Dependency changes

Include transitive

Showing 15 advisories, 5 of which are transitive via vim's dependencies

Security advisories for this package
	Status	IDs	Package	Version	Severity	Published
Critical ( 1 )
	Under investigation	CVE-2026-5450	glibc	2.42 – 2.43	Critical: 9.8	2 months ago
Summary Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow. Via acl glibc Affected ranges 2.42 – 2.43 CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
High ( 7 )
	Status	IDs	Package	Version	Severity	Published
	Under investigation	CVE-2026-57456	vim	9.2.0506 – 9.2.0597	High: 7.8	yesterday
Summary Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699. Affected ranges 9.2.0506 – 9.2.0597 CVSS vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
	Under investigation	CVE-2026-57455	vim	9.2.0506 – 9.2.0597	High: 7.8	yesterday
Summary Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698. Affected ranges 9.2.0506 – 9.2.0597 CVSS vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
	Under investigation	CVE-2026-55895	vim	9.2.0506 – 9.2.0597	High: 7.8	yesterday
Summary Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (\|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663. Affected ranges 9.2.0506 – 9.2.0597 CVSS vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
	Under investigation	CVE-2026-55693	vim	9.2.0506 – 9.2.0597	High: 7.8	yesterday
Summary Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653. Affected ranges 9.2.0506 – 9.2.0597 CVSS vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
	Under investigation	CVE-2026-5928	glibc	2.42 – 2.43	High: 7.5	2 months ago
Summary Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets. Via acl glibc Affected ranges 2.42 – 2.43 CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
	Under investigation	CVE-2026-4046	glibc	2.42 – 2.43	High: 7.5	3 months ago
Summary The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them. Via acl glibc Affected ranges 2.42 – 2.43 CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
	Under investigation	CVE-2026-4437	glibc	2.42 – 2.43	High: 7.5	3 months ago
Summary Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer. Via acl glibc Affected ranges 2.42 – 2.43 CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Medium ( 6 )
	Status	IDs	Package	Version	Severity	Published
	Under investigation	CVE-2026-57454	vim	9.2.0506 – 9.2.0597	Medium: 6.1	yesterday
Summary Vim is an open source, command line text editor. From 9.2.0320 until 9.2.0679, a crafted undo or swap file can store a virtual-text property whose offset and length point outside the line's property data. When Vim restores or displays such a line it converts the offset into a pointer and reads the virtual text without bounds checking, causing an out-of-bounds read that can crash Vim or disclose adjacent heap memory. This vulnerability is fixed in 9.2.0679. Affected ranges 9.2.0506 – 9.2.0597 CVSS vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
	Under investigation	CVE-2026-57453	vim	9.2.0506 – 9.2.0597	Medium: 6.5	yesterday
Summary Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678. Affected ranges 9.2.0506 – 9.2.0597 CVSS vector CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
	Under investigation	CVE-2026-57452	vim	9.2.0506 – 9.2.0597	Medium: 5.5	yesterday
Summary Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671. Affected ranges 9.2.0506 – 9.2.0597 CVSS vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
	Under investigation	CVE-2026-57451	vim	9.2.0506 – 9.2.0597	Medium: 5.3	yesterday
Summary Vim is an open source, command line text editor. Prior to 9.2.0670, get_text_props() in src/textprop.c reads a uint16 property count stored inline after a line's text and returns it as the number of 32-byte textprop_T entries that follow. The only check is a floor that guarantees room for a single entry; the count is never checked against the amount of data actually present. A line that declares a large count while carrying little data causes consumers to read far past the end of the line buffer. Such a line can be delivered through a crafted undo file, leading to a crash. This vulnerability is fixed in 9.2.0670. Affected ranges 9.2.0506 – 9.2.0597 CVSS vector CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:H
	Under investigation	CVE-2026-55892	vim	9.2.0506 – 9.2.0597	Medium: 5.5	yesterday
Summary Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662. Affected ranges 9.2.0506 – 9.2.0597 CVSS vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
	Under investigation	CVE-2026-4438	glibc	2.42 – 2.43	Medium: 5.4	3 months ago
Summary Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification. Via acl glibc Affected ranges 2.42 – 2.43 CVSS vector CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Low ( 0 )
	Status	IDs	Package	Version	Severity	Published
Unknown ( 1 )
	Status	IDs	Package	Version	Severity	Published
	Under investigation	GHSA-m3hf-xcm3-xhm2	vim	9.2.0506 – 9.2.0597	Unknown	2 days ago
Summary Out-of-bounds Write in SAL Soundfolding in Vim < 9.2.0725 Affected ranges 9.2.0506 – 9.2.0597 References Web: https://github.com/vim/vim/security/advisories/GHSA-m3hf-xcm3-xhm2

44 components

Software Bill of Materials — every package this build depends on
Packages	Version	Repository	Licence
vim ROOT	9.2.0597	github.com/vim/vim	Vim
acl	2.3.2	https://storage.googleapis.com/minimal-staging-archives/acl-2.3.2.tar.xz MIRROR	(GPL-2.0-only AND LGPL-2.1-only)
attr	2.5.2	https://storage.googleapis.com/minimal-staging-archives/attr-2.5.2.tar.gz MIRROR	(GPL-2.0-only AND LGPL-2.1-only)
bash	5.3	www.gnu.org/software/bash	GPL-3.0-only
bash-bootstrap	5.3	https://storage.googleapis.com/minimal-staging-archives/bash-5.3.tar.gz MIRROR	GPL-3.0-only
binutils	2.46.1	www.gnu.org/software/binutils	(GPL-2.0-only AND GPL-3.0-only AND LGPL-2.0-only)
bison	3.8.2	www.gnu.org/software/bison	GPL-3.0-only
bzip2	1.0.8	github.com/libarchive/bzip2	bzip2-1.0.6
coreutils	9.11	www.gnu.org/software/coreutils	GPL-3.0-only
diffutils	3.12	www.gnu.org/software/diffutils	GPL-3.0-only
expat	2.7.5	github.com/libexpat/libexpat	MIT
file	5.47	https://storage.googleapis.com/minimal-staging-archives/file-5.47.tar.gz MIRROR	BSD-2-Clause-Darwin
findutils	4.10.0	https://storage.googleapis.com/minimal-staging-archives/findutils-4.10.0.tar.xz MIRROR	GPL-3.0-only
flex	2.6.4	github.com/westes/flex	BSD-3-Clause-flex
gawk	5.4.0	www.gnu.org/software/gawk	GPL-3.0-only
gawk-bootstrap	5.3.2	https://storage.googleapis.com/minimal-staging-archives/gawk-5.3.2.tar.xz MIRROR	GPL-3.0-only
gcc	15.2.0	www.gnu.org/software/gcc	(GPL-2.0-only AND GPL-3.0-only AND LGPL-2.1-only)
gdbm	1.26	www.gnu.org/software/gdbm	GPL-3.0-only
glibc	2.43	www.gnu.org/software/glibc	(GPL-2.0-only AND LGPL-2.1-only)
gmp	6.3.0	www.gnu.org/software/gmp	LGPL-3.0-or-later OR GPL-2.0-or-later
grep	3.12	www.gnu.org/software/grep	GPL-3.0-only
gzip	1.14	www.gnu.org/software/gzip	GPL-3.0-only
libcap	2.78	https://storage.googleapis.com/minimal-staging-archives/libcap-2.78.tar.xz MIRROR	BSD-3-Clause OR GPL-2.0-only
libffi	3.5.2	github.com/libffi/libffi	MIT
linux_headers	6.12.43	github.com/torvalds/linux	GPL-2.0-only WITH Linux-syscall-note
lz4	1.10.0	github.com/lz4/lz4	BSD-2-Clause AND GPL-2.0-or-later
m4	1.4.21	www.gnu.org/software/m4	GPL-3.0-only
make	4.4.1	www.gnu.org/software/make	GPL-3.0-only
mpc	1.4.0	www.gnu.org/software/mpc	LGPL-3.0-or-later
mpfr	4.2.2	www.gnu.org/software/mpfr	GPL-3.0-only
ncurses	6.5-20250830	www.gnu.org/software/ncurses	X11-distribute-modifications-variant
openssl	3.6.3	github.com/openssl/openssl	Apache-2.0
pcre2	10.47	github.com/PCRE2Project/pcre2	BSD-3-Clause WITH PCRE2-exception
perl	5.42.0	github.com/Perl/perl5	Artistic-1.0-Perl OR GPL-1.0-or-later
pkgconf	2.5.1	github.com/pkgconf/pkgconf	pkgconf
python	3.14.5	github.com/python/cpython	Python-2.0.1
readline	8.3	www.gnu.org/software/readline	GPL-3.0-only
sed	4.9	www.gnu.org/software/sed	GPL-3.0-only
sqlite	3.50.4	github.com/sqlite/sqlite	blessing
tar	1.35	www.gnu.org/software/tar	GPL-3.0-only
util-linux	2.42.1	github.com/util-linux/util-linux	GPL-2.0-or-later AND LGPL-2.1-or-later AND BSD-3-Clause
xz	5.8.3	github.com/tukaani-project/xz	(0BSD AND GPL-2.0-only AND GPL-3.0-only AND LGPL-2.1-only)
zlib	1.3.2	github.com/madler/zlib	Zlib
zstd	1.5.7	github.com/facebook/zstd	BSD-3-Clause OR GPL-2.0-only

vim

Install package

What is "vim"?

How to use this package

Quick install

Declare as a task dependency in minimal.toml

Build-time vs runtime

Dependencies (6)

Dependency changes

Summary

Via

Affected ranges

CVSS vector

Summary

Affected ranges

CVSS vector

Summary

Affected ranges

CVSS vector

Summary

Affected ranges

CVSS vector

Summary

Affected ranges

CVSS vector

Summary

Via

Affected ranges

CVSS vector

Summary

Via

Affected ranges

CVSS vector

Summary

Via

Affected ranges

CVSS vector

Summary

Affected ranges

CVSS vector

Summary

Affected ranges

CVSS vector

Summary

Affected ranges

CVSS vector

Summary

Affected ranges

CVSS vector

Summary

Affected ranges

CVSS vector

Summary

Via

Affected ranges

CVSS vector

Summary

Affected ranges

References

44 components