CVE-2019-12735

Published: Jun 5, 2019

Modified: Nov 11, 2025

PUBLISHED

Description

getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md

https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040

https://github.com/neovim/neovim/pull/10082

https://bugs.debian.org/930020

https://bugs.debian.org/930024

FEDORA-2019-d79f89346c

vendor-advisory

USN-4016-1

vendor-advisory

USN-4016-2

vendor-advisory

108724

vdb-entry

FEDORA-2019-dcd49378b8

vendor-advisory

openSUSE-SU-2019:1551

vendor-advisory

openSUSE-SU-2019:1562

vendor-advisory

openSUSE-SU-2019:1561

vendor-advisory

DSA-4467

vendor-advisory

20190624 [SECURITY] [DSA 4467-2] vim regression update

mailing-list

https://support.f5.com/csp/article/K93144355

RHSA-2019:1619

vendor-advisory

RHSA-2019:1774

vendor-advisory

RHSA-2019:1793

vendor-advisory

openSUSE-SU-2019:1759

vendor-advisory

openSUSE-SU-2019:1796

vendor-advisory

DSA-4487

vendor-advisory

20190724 [SECURITY] [DSA 4487-1] neovim security update

mailing-list

RHSA-2019:1947

vendor-advisory

[debian-lts-announce] 20190803 [SECURITY] [DLA 1871-1] vim security update

mailing-list

openSUSE-SU-2019:1997

vendor-advisory

https://support.f5.com/csp/article/K93144355?utm_source=f5support&utm_medium=RSS

GLSA-202003-04

vendor-advisory

https://www.exploit-db.com/exploits/46973

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2019-12735

Description

Affected Products

References