Vim and GNU Emacs file-open RCE flaws remote code execution flaw
Vulnerability
Summary
Hide ▲
Show ▼
Vim and GNU Emacs have file-open remote code execution flaws that can run attacker code as soon as a crafted file is opened. The Vim issue affects 9.2.0271 and earlier and was patched in 9.2.0272 after missing security checks and modeline handling let embedded code bypass sandbox expectations. The GNU Emacs issue remains unpatched and can be triggered through vc-git, where opening a file can cause Git to read an attacker-controlled .git/config and execute core.fsmonitor.
Related Happenings
Google Looker SQL injection and RCE chain multiple vulnerabilities remote code execution flaw (CVE-2025-12743)
Vulnerability
First: 04.02.2026 13:00
Last: 04.02.2026 13:00
Sources 1
About this happening:
Researchers identified **Google Looker** flaws that could expose **secrets**, **configurations**, and **cloud data**, including possible **cross-tenant access** in **GCP** deploym...
Google Looker SQL injection and RCE chain multiple vulnerabilities remote code execution flaw (CVE-2025-12743)
VulnerabilityAbout this happening: Researchers identified **Google Looker** flaws that could expose **secrets**, **configurations**, and **cloud data**, including possible **cross-tenant access** in **GCP** deploym...
Gogs path traversal in the PutContents API (CVE-2025-8110)
Vulnerability
First: 13.01.2026 09:15
Last: 13.01.2026 09:15
Sources 1
About this happening:
**CISA** added **CVE-2025-8110** in **Gogs** to the **KEV catalog**, confirming **active exploitation** of a **path traversal** flaw that can lead to **code execution**. The weakn...
Gogs path traversal in the PutContents API (CVE-2025-8110)
VulnerabilityAbout this happening: **CISA** added **CVE-2025-8110** in **Gogs** to the **KEV catalog**, confirming **active exploitation** of a **path traversal** flaw that can lead to **code execution**. The weakn...
Timeline
-
01.04.2026 00:45 2 articles · 1mo ago
Vim and GNU Emacs file-open RCE flaws disclosed
Initial DisclosureHung Nguyen of Calif used Claude to find remote code execution flaws in Vim 9.2.0271 and earlier and in GNU Emacs that can trigger when a crafted file is opened. In Vim, missing security checks and modeline handling allowed embedded code to run as the current user, and Vim maintainers released version 9.2.0272. In GNU Emacs, vc-git can invoke Git on untrusted directories, where a hidden .git/config and core.fsmonitor can execute attacker-controlled commands, and the flaw remained unpatched.
Show sources
- Claude AI finds Vim, Emacs RCE bugs that trigger on file open — www.bleepingcomputer.com — 01.04.2026 00:45
- Claude AI finds Vim, Emacs RCE bugs that trigger on file open — www.bleepingcomputer.com — 01.04.2026 00:45