[Security] MacVim affected by CVE-2026-42307 — netrw sftp tmpfile not escaped (OS command injection)

[dkgkdfg65]

[Security] MacVim affected by CVE-2026-42307 — netrw OS command injection (vim < 9.2.0383)

Summary

MacVim bundles the vim source at version 9.2 (patches 1-332 in the current build), which is
below the patched version 9.2.0383 that fixes CVE-2026-42307.

Vulnerability Details

• Upstream CVE: CVE-2026-42307
• Inherited from: vim/vim
• Affected code: runtime/autoload/netrw.vim — netrw standard plugin
• Vulnerability type: CWE-78 — OS Command Injection
• Fixed in: vim 9.2.0383 (commit 405e2fb6d54d5653523809e2853d99d1c000a5fc)

Root Cause

Prior to vim 9.2.0383, an OS command injection vulnerability exists in the netrw standard
plugin bundled with vim. By inducing a user to open a crafted URL (e.g., using the sftp://
or file:// protocol handlers), an attacker can execute arbitrary shell commands. Netrw
constructs shell commands from user-controlled URL components without adequate sanitization.

An attacker who can trick a user into opening a specially crafted URL in vim (e.g., via a
malicious link in a file opened for editing) can achieve arbitrary command execution.

Affected MacVim Version

MacVim r183 (vim 9.2 patches 1-332) — current HEAD as of 2026-05-18.

The fix commit 405e2fb6d54d5653523809e2853d99d1c000a5fc from vim/vim is not present
in the macvim-dev/macvim repository:

git log --all --oneline | grep 405e2fb6  # returns no output

Suggested Fix

Merge or cherry-pick vim/vim patches up to at least 9.2.0383:

• Upstream fix: vim/vim@405e2fb

References

• CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-42307
• Upstream fix commit: vim/vim@405e2fb