The zip.vim plugin, bundled with the Vim editor, has been the subject of recent security advisories due to path traversal vulnerabilities. Two CVEs, CVE-2026-35177 and CVE-2025-53906, highlight how specially crafted ZIP archives can cause Vim to write files outside the intended directory when the plugin is used. These flaws are situational, requiring specific user interactions with malicious archives. Microsoft has acknowledged that Azure Linux includes the vulnerable zip.vim component, though other Microsoft products may also be affected. Discussions on WindowsForum.com focus on the conditional exploit risks and the broader implications for enterprise environments using Vim.
-
Vim’s zip.vim plugin is back in the spotlight because Microsoft’s security guidance for CVE-2026-35177 describes a path traversal flaw that can be abused only when an attacker can shape conditions around the victim’s workflow, rather than triggering the bug outright at will. That distinction...
-
The Vim editor contains a path‑traversal flaw in its zip.vim plugin (CVE‑2025‑53906) that can let a specially crafted ZIP archive cause Vim to write files outside the intended directory — and while Microsoft has publicly attested that Azure Linux includes the vulnerable component, that...