[CLSA-2026:1784022695] vim: Fix of 2 CVEs
Type:
security
Severity:
Important
Release date:
2026-07-14 09:51:51 UTC
Description:
- CVE-2026-59858: escape the typeref field with escape(typename, '/\') before interpolating it into the :vimgrep pattern in ccomplete.vim StructMembers(), preventing arbitrary Ex command execution during C omni-completion when reading a crafted tags file (runtime/autoload/ccomplete.vim, upstream vim 9.2.0735) - CVE-2026-59856: quote the class name via string() before interpolating it into the search() pattern executed by win_execute() in phpcomplete.vim GetClassContentsStructure(), preventing potential command execution during PHP omni-completion (runtime/autoload/phpcomplete.vim, upstream vim 9.2.0736)
Updated packages:
  • vim-X11-8.2.2637-22.el9_6.1.tuxcare.els38.x86_64.rpm
    sha:f2cffb23f13050ccd71884c3ec72163444b57540f15ea626076e91bf4af8275b
  • vim-common-8.2.2637-22.el9_6.1.tuxcare.els38.x86_64.rpm
    sha:760b26eab1c5d2d16f52217892328510217ea6d61695624d6bec2332a26dc83f
  • vim-enhanced-8.2.2637-22.el9_6.1.tuxcare.els38.x86_64.rpm
    sha:b033eec3565f284154ff993e43d033d370b6bfd947936c25d8f0100ba54a8a79
  • vim-filesystem-8.2.2637-22.el9_6.1.tuxcare.els38.noarch.rpm
    sha:4a47d0bb55e4e9f2cf6386ca6bc1d3a0dc0a23a28ccd85828437f5ee04ff0758
  • vim-minimal-8.2.2637-22.el9_6.1.tuxcare.els38.x86_64.rpm
    sha:82b9036cc8b32b20153f42cf921c97156128a0827f25e63f986a9be8107b3a36
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.