[Security] MacVim affected by CVE-2026-46483 — tar#Vimuntar() command injection via shellescape (vim < 9.2.0479)
Summary
MacVim bundles the vim source at version 9.2 (patches 1-332 in the current build), which is
below the patched version 9.2.0479 that fixes CVE-2026-46483.
Vulnerability Details
- Upstream CVE: CVE-2026-46483
- Inherited from:
vim/vim
- Affected code:
runtime/autoload/tar.vim, function tar#Vimuntar()
- Vulnerability type: CWE-78 — OS Command Injection
- Fixed in: vim 9.2.0479 (commit
3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1)
Root Cause
In tar#Vimuntar() (runtime/autoload/tar.vim), the function decompresses a .tgz tarball
using :!gunzip and tar. The filename is escaped using shellescape(tartail) without
the second argument 1:
" runtime/autoload/tar.vim (macvim r183, around line 815)
if tartail =~ '\.tgz'
if executable("gunzip")
silent exe "!gunzip ".shellescape(tartail)When vim's :! command processes the command string, the ! character in the filename
is interpreted by vim's command-line history substitution BEFORE the shell sees it.
shellescape(x, 0) (the default) does not escape ! for the vim :! context, while
shellescape(x, 1) does.
If an attacker can name a .tgz file to contain !command, and trick a user into
running tar#Vimuntar() on it, the embedded command is executed.
Affected MacVim Code
MacVim's runtime/autoload/tar.vim contains the vulnerable tar#Vimuntar() function at
line 784. The fix changes shellescape(tartail) to shellescape(tartail, 1) throughout
the function.
Note: neovim does NOT have the tar#Vimuntar() function and is not affected by this
specific vulnerability.
Affected MacVim Version
MacVim r183 (vim 9.2 patches 1-332) — current HEAD as of 2026-05-18.
The fix commit 3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 from vim/vim is not present
in the macvim-dev/macvim repository:
git log --all --oneline | grep 3fb5e58f # returns no output
Suggested Fix
Merge or cherry-pick vim/vim patches up to at least 9.2.0479:
The fix changes shellescape(tartail) to shellescape(tartail, 1) which properly escapes
! characters for vim's :! command context.
References
[Security] MacVim affected by CVE-2026-46483 — tar#Vimuntar() command injection via shellescape (vim < 9.2.0479)
Summary
MacVim bundles the vim source at version 9.2 (patches 1-332 in the current build), which is
below the patched version 9.2.0479 that fixes CVE-2026-46483.
Vulnerability Details
vim/vimruntime/autoload/tar.vim, functiontar#Vimuntar()3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1)Root Cause
In
tar#Vimuntar()(runtime/autoload/tar.vim), the function decompresses a.tgztarballusing
:!gunzipandtar. The filename is escaped usingshellescape(tartail)withoutthe second argument
1:When vim's
:!command processes the command string, the!character in the filenameis interpreted by vim's command-line history substitution BEFORE the shell sees it.
shellescape(x, 0)(the default) does not escape!for the vim:!context, whileshellescape(x, 1)does.If an attacker can name a
.tgzfile to contain!command, and trick a user intorunning
tar#Vimuntar()on it, the embedded command is executed.Affected MacVim Code
MacVim's
runtime/autoload/tar.vimcontains the vulnerabletar#Vimuntar()function atline 784. The fix changes
shellescape(tartail)toshellescape(tartail, 1)throughoutthe function.
Note: neovim does NOT have the
tar#Vimuntar()function and is not affected by thisspecific vulnerability.
Affected MacVim Version
MacVim r183 (vim 9.2 patches 1-332) — current HEAD as of 2026-05-18.
The fix commit
3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1fromvim/vimis not presentin the
macvim-dev/macvimrepository:Suggested Fix
Merge or cherry-pick
vim/vimpatches up to at least 9.2.0479:The fix changes
shellescape(tartail)toshellescape(tartail, 1)which properly escapes!characters for vim's:!command context.References