Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.

A flaw was found in Vim. When decompressing .tgz archives, the Vimuntar function builds shell commands using shellescape() without the {special} flag. This allows a specially crafted archive filename to trigger Vim cmdline-special expansion and execute arbitrary commands in the context of the current user.

To exploit this issue, an attacker needs to convince a user to decompress a .tgz archive with a specially crafted filename. Additionally, possible arbitrary command execution is restricted to the context of the user running Vim. These conditions limit the exposure of this vulnerability and the potential of a full system compromise. Due to these reasons, this flaw has been rated with a moderate severity. To mitigate this vulnerability, do not decompress untrusted .tgz archives with the Vimuntar command. Use 'tar -x -z -f' directly, instead. Red Hat Enterprise Linux 10 Affected vim Red Hat Enterprise Linux 6 Affected vim Red Hat Enterprise Linux 7 Affected vim Red Hat Enterprise Linux 8 Affected vim Red Hat Enterprise Linux 9 Affected vim Red Hat OpenShift Container Platform 4 Affected rhcos https://www.cve.org/CVERecord?id=CVE-2026-46483 https://nvd.nist.gov/vuln/detail/CVE-2026-46483 https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 https://github.com/vim/vim/releases/tag/v9.2.0479 https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w