[CLSA-2026:1784023446] vim: Fix of 2 CVEs
Type:
security
Severity:
Important
Release date:
2026-07-14 10:04:23 UTC
Description:
- CVE-2026-59858: escape the typeref field with escape(typename, '/\') before interpolating it into the :vimgrep pattern in ccomplete.vim StructMembers(), preventing arbitrary Ex command execution during C omni-completion when reading a crafted tags file (runtime/autoload/ccomplete.vim, upstream vim 9.2.0735) - CVE-2026-59856: quote the class name via string() before interpolating it into the search() pattern executed by win_execute() in phpcomplete.vim GetClassContentsStructure(), preventing potential command execution during PHP omni-completion (runtime/autoload/phpcomplete.vim, upstream vim 9.2.0736)
Updated packages:
  • vim-X11-8.2.2637-22.el9_2.1.tuxcare.els38.x86_64.rpm
    sha:06626b23fc3c72309562e2a0e284f1823e9aa80f9a86e31a2b2917e4914a3692
  • vim-common-8.2.2637-22.el9_2.1.tuxcare.els38.x86_64.rpm
    sha:0ccad2b0a153aaf00052c9d88ff9a6a8189505a6a8b16e9ea0676c07e3a489f7
  • vim-enhanced-8.2.2637-22.el9_2.1.tuxcare.els38.x86_64.rpm
    sha:7d2fdd2e1547b62ff2ccd7e0c50ccf9227ee3b6568ea56e968d5cc506530df1d
  • vim-filesystem-8.2.2637-22.el9_2.1.tuxcare.els38.noarch.rpm
    sha:18841726615cd7e1101d96a85f8749f21970dcc6916f7ed5bb1a8c4a54b71efc
  • vim-minimal-8.2.2637-22.el9_2.1.tuxcare.els38.x86_64.rpm
    sha:3cf49da2dab9d75c3d2cbb922a4c9f649284b06b39192bb245c886cb7da46a96
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.