- Package:
- src:neovim
- Source:
- src:neovim
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-15 05:53:01 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for neovim. CVE-2026-11487[0]: | A flaw has been found in Neovim up to 0.12.2. Affected by this issue | is the function M.read of the file runtime/lua/vim/secure.lua of the | component View Branch. Executing a manipulation of the argument path | can lead to command injection. It is possible to launch the attack | on the local host. The exploit has been published and may be used. | This patch is called f83e0dcaf8cf18de94828341b0a1a61a86c75baf. A | patch should be applied to remediate this issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-11487 https://www.cve.org/CVERecord?id=CVE-2026-11487 [1] https://github.com/neovim/neovim/issues/39914 [2] https://github.com/neovim/neovim/pull/39918 [3] https://github.com/neovim/neovim/commit/f83e0dcaf8cf18de94828341b0a1a61a86c75baf Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Version: 0.12.3-1 This was fixed in 0.12.3-1 already. I'll add a retroactive reference in the changelog. Cheers,
Hi James, Thanks, indeed I did check against the 0.12.2 version but used the wrong version to fill the bugreport. Sorry about the extra work, I just fixed the metadata for the security-tracker. Regards, Salvatore