关键信息 漏洞详情 Cve: CVE-2026-28417 Severity: Medium (CVSS v3 base score: 4.4/10) Affected Versions: < 9.2.0073 Patched Version: 9.2.0073 描述 Vulnerability Type: OS Command Injection Affected Component: Netrw (Vim standard plugin) CVE Description: An OS command injection vulnerability in netrw bundled with Vim allows arbitrary shell commands execution with the privileges of the Vim process. CVE Exploit Munition: A crafted URL (using the protocol handler) can trigger the vulnerability. 更多细节 Detection: Vulnerability is present due to an unanchored regular expression in function which only checks if the hostname begins with an alphanumeric character, allowing shell metacharacters in the hostname string. Malicious Behavior: Arbitrary commands can be executed via Ex command when Netrw invokes the shell. Severity Justification: Malformed strings are visible and suspicious in an interactive context, thus the severity is rated medium. Reference Fix: The issue was resolved in v9.2.0073. Credits: ehdgks0627 and un3xploitable Github users for identifying and fixing the flaw.