[Security] MacVim affected by CVE-2026-44656 — :find completion backtick injection via 'path' option

[dkgkdfg65]

[Security] MacVim affected by CVE-2026-44656 — :find completion backtick OS command injection (vim < 9.2.0435)

Summary

MacVim bundles the vim source at version 9.2 (patches 1-332 in the current build), which is
below the patched version 9.2.0435 that fixes CVE-2026-44656.

Vulnerability Details

• Upstream CVE: CVE-2026-44656
• Inherited from: vim/vim
• Affected code: :find command-line completion with path option
• Vulnerability type: CWE-78 — OS Command Injection
• Fixed in: vim 9.2.0435 (commit 190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0)

Root Cause

Prior to vim 9.2.0435, an OS command injection vulnerability exists in Vim's :find
command-line completion. When the path option contains backtick-enclosed shell commands
(e.g., path= cmd``), those commands are executed during filename completion. Because the pathoption can be set via modelines or project-local configuration files, an attacker who controls such files can execute arbitrary commands when the victim uses tab-completion with:find`.

Affected MacVim Version

MacVim r183 (vim 9.2 patches 1-332) — current HEAD as of 2026-05-18.

The fix commit 190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0 from vim/vim is not present
in the macvim-dev/macvim repository:

git log --all --oneline | grep 190cb3c2  # returns no output

Suggested Fix

Merge or cherry-pick vim/vim patches up to at least 9.2.0435:

• Upstream fix: vim/vim@190cb3c

References

• CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-44656
• Upstream fix commit: vim/vim@190cb3c