CVE Catalog

CVE-2026-11487

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Summary

A flaw has been found in Neovim up to version 0.12.2 in the M.read function of the runtime/lua/vim/secure.lua file, which can lead to command injection. Manipulating the path argument allows for an attack on the local host.

Risk Assessment

This vulnerability poses a risk of injecting malicious commands, potentially allowing an attacker to gain control over the system.

Recommendation

It is recommended to apply the patch f83e0dcaf8cf18de94828341b0a1a61a86c75baf to remediate this issue.

Original NVD description (English source)

A flaw has been found in Neovim up to 0.12.2. Affected by this issue is the function M.read of the file runtime/lua/vim/secure.lua of the component View Branch. Executing a manipulation of the argument path can lead to command injection. It is possible to launch the attack on the local host. The exploit has been published and may be used. This patch is called f83e0dcaf8cf18de94828341b0a1a61a86c75baf. A patch should be applied to remediate this issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS