Debian Package Tracker
Register | Log in
Subscribe

vim

Vi IMproved - enhanced vi editor

Choose email to subscribe with

general
  • source: vim (main)
  • version: 2:9.2.0524-1
  • maintainer: Debian Vim Maintainers (DMD)
  • uploaders: James McCoy [DMD]
  • arch: all any
  • std-ver: 4.7.4
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 2:8.2.2434-3+deb11u1
  • o-o-sec: 2:8.2.2434-3+deb11u3
  • oldstable: 2:9.0.1378-2+deb12u2
  • stable: 2:9.1.1230-2
  • testing: 2:9.2.0524-1
  • unstable: 2:9.2.0524-1
versioned links
  • 2:8.2.2434-3+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2:8.2.2434-3+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2:9.0.1378-2+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2:9.1.1230-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2:9.2.0524-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • vim (41 bugs: 0, 20, 21, 0)
  • vim-common (6 bugs: 0, 2, 4, 0)
  • vim-doc (1 bugs: 0, 0, 1, 0)
  • vim-gtk3 (3 bugs: 0, 1, 2, 0)
  • vim-gui-common
  • vim-motif
  • vim-nox (1 bugs: 0, 0, 1, 0)
  • vim-runtime (33 bugs: 0, 14, 19, 0)
  • vim-tiny (1 bugs: 0, 1, 0, 0)
  • xxd (3 bugs: 0, 0, 3, 0)
action needed
A new upstream version is available: 9.2.0782 high
A new upstream version 9.2.0782 is available, you should consider packaging it.
Created: 2026-05-14 Last update: 2026-07-07 20:30
30 security issues in trixie high

There are 30 open security issues in trixie.

25 important issues:
  • CVE-2026-28417: Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.
  • CVE-2026-28418: Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.
  • CVE-2026-28420: Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.
  • CVE-2026-28421: Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.
  • CVE-2026-33412: Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.
  • CVE-2026-34982: Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.
  • CVE-2026-35177: Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.
  • CVE-2026-39881: Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.
  • CVE-2026-41411: Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.
  • CVE-2026-42307: Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.
  • CVE-2026-43961:
  • CVE-2026-44656: Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.
  • CVE-2026-45130: Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.
  • CVE-2026-47162: Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.
  • CVE-2026-47167: Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.
  • CVE-2026-52858: Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.
  • CVE-2026-52860: Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.
  • CVE-2026-55693: Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.
  • CVE-2026-55892: Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.
  • CVE-2026-55895: Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.
  • CVE-2026-57451: Vim is an open source, command line text editor. Prior to 9.2.0670, get_text_props() in src/textprop.c reads a uint16 property count stored inline after a line's text and returns it as the number of 32-byte textprop_T entries that follow. The only check is a floor that guarantees room for a single entry; the count is never checked against the amount of data actually present. A line that declares a large count while carrying little data causes consumers to read far past the end of the line buffer. Such a line can be delivered through a crafted undo file, leading to a crash. This vulnerability is fixed in 9.2.0670.
  • CVE-2026-57452: Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.
  • CVE-2026-57453: Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.
  • CVE-2026-57455: Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.
  • CVE-2026-57456: Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.
5 issues left for the package maintainer to handle:
  • CVE-2025-53905: (needs triaging) Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.
  • CVE-2025-53906: (needs triaging) Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.
  • CVE-2026-25749: (needs triaging) Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
  • CVE-2026-26269: (needs triaging) Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.
  • CVE-2026-46483: (needs triaging) Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-07-16 Last update: 2026-06-26 10:00
11 security issues in sid high

There are 11 open security issues in sid.

11 important issues:
  • CVE-2026-52858: Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.
  • CVE-2026-52860: Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.
  • CVE-2026-55693: Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.
  • CVE-2026-55892: Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.
  • CVE-2026-55895: Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.
  • CVE-2026-57451: Vim is an open source, command line text editor. Prior to 9.2.0670, get_text_props() in src/textprop.c reads a uint16 property count stored inline after a line's text and returns it as the number of 32-byte textprop_T entries that follow. The only check is a floor that guarantees room for a single entry; the count is never checked against the amount of data actually present. A line that declares a large count while carrying little data causes consumers to read far past the end of the line buffer. Such a line can be delivered through a crafted undo file, leading to a crash. This vulnerability is fixed in 9.2.0670.
  • CVE-2026-57452: Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.
  • CVE-2026-57453: Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.
  • CVE-2026-57454: Vim is an open source, command line text editor. From 9.2.0320 until 9.2.0679, a crafted undo or swap file can store a virtual-text property whose offset and length point outside the line's property data. When Vim restores or displays such a line it converts the offset into a pointer and reads the virtual text without bounds checking, causing an out-of-bounds read that can crash Vim or disclose adjacent heap memory. This vulnerability is fixed in 9.2.0679.
  • CVE-2026-57455: Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.
  • CVE-2026-57456: Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.
Created: 2026-06-11 Last update: 2026-06-26 10:00
11 security issues in forky high

There are 11 open security issues in forky.

11 important issues:
  • CVE-2026-52858: Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.
  • CVE-2026-52860: Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.
  • CVE-2026-55693: Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.
  • CVE-2026-55892: Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.
  • CVE-2026-55895: Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.
  • CVE-2026-57451: Vim is an open source, command line text editor. Prior to 9.2.0670, get_text_props() in src/textprop.c reads a uint16 property count stored inline after a line's text and returns it as the number of 32-byte textprop_T entries that follow. The only check is a floor that guarantees room for a single entry; the count is never checked against the amount of data actually present. A line that declares a large count while carrying little data causes consumers to read far past the end of the line buffer. Such a line can be delivered through a crafted undo file, leading to a crash. This vulnerability is fixed in 9.2.0670.
  • CVE-2026-57452: Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.
  • CVE-2026-57453: Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.
  • CVE-2026-57454: Vim is an open source, command line text editor. From 9.2.0320 until 9.2.0679, a crafted undo or swap file can store a virtual-text property whose offset and length point outside the line's property data. When Vim restores or displays such a line it converts the offset into a pointer and reads the virtual text without bounds checking, causing an out-of-bounds read that can crash Vim or disclose adjacent heap memory. This vulnerability is fixed in 9.2.0679.
  • CVE-2026-57455: Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.
  • CVE-2026-57456: Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.
Created: 2026-06-11 Last update: 2026-06-26 10:00
30 security issues in bullseye high

There are 30 open security issues in bullseye.

26 important issues:
  • CVE-2026-28417: Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.
  • CVE-2026-28418: Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.
  • CVE-2026-28420: Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.
  • CVE-2026-28421: Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.
  • CVE-2026-33412: Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.
  • CVE-2026-34982: Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.
  • CVE-2026-35177: Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.
  • CVE-2026-39881: Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.
  • CVE-2026-41411: Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.
  • CVE-2026-42307: Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.
  • CVE-2026-43961:
  • CVE-2026-44656: Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.
  • CVE-2026-45130: Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.
  • CVE-2026-46483: Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.
  • CVE-2026-47162: Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.
  • CVE-2026-47167: Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.
  • CVE-2026-52858: Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.
  • CVE-2026-52860: Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.
  • CVE-2026-55693: Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.
  • CVE-2026-55892: Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.
  • CVE-2026-55895: Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.
  • CVE-2026-57451: Vim is an open source, command line text editor. Prior to 9.2.0670, get_text_props() in src/textprop.c reads a uint16 property count stored inline after a line's text and returns it as the number of 32-byte textprop_T entries that follow. The only check is a floor that guarantees room for a single entry; the count is never checked against the amount of data actually present. A line that declares a large count while carrying little data causes consumers to read far past the end of the line buffer. Such a line can be delivered through a crafted undo file, leading to a crash. This vulnerability is fixed in 9.2.0670.
  • CVE-2026-57452: Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.
  • CVE-2026-57453: Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.
  • CVE-2026-57455: Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.
  • CVE-2026-57456: Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.
4 issues postponed or untriaged:
  • CVE-2025-53905: (postponed; to be fixed through a stable update) Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.
  • CVE-2025-53906: (postponed; to be fixed through a stable update) Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.
  • CVE-2026-25749: (postponed; to be fixed through a stable update) Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
  • CVE-2026-26269: (postponed; to be fixed through a stable update) Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.
Created: 2026-02-28 Last update: 2026-06-26 10:00
31 security issues in bookworm high

There are 31 open security issues in bookworm.

25 important issues:
  • CVE-2026-28417: Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.
  • CVE-2026-28418: Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.
  • CVE-2026-28420: Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.
  • CVE-2026-28421: Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.
  • CVE-2026-33412: Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.
  • CVE-2026-34982: Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.
  • CVE-2026-35177: Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.
  • CVE-2026-39881: Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.
  • CVE-2026-41411: Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.
  • CVE-2026-42307: Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.
  • CVE-2026-43961:
  • CVE-2026-44656: Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.
  • CVE-2026-45130: Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.
  • CVE-2026-47162: Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.
  • CVE-2026-47167: Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.
  • CVE-2026-52858: Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.
  • CVE-2026-52860: Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.
  • CVE-2026-55693: Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.
  • CVE-2026-55892: Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.
  • CVE-2026-55895: Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.
  • CVE-2026-57451: Vim is an open source, command line text editor. Prior to 9.2.0670, get_text_props() in src/textprop.c reads a uint16 property count stored inline after a line's text and returns it as the number of 32-byte textprop_T entries that follow. The only check is a floor that guarantees room for a single entry; the count is never checked against the amount of data actually present. A line that declares a large count while carrying little data causes consumers to read far past the end of the line buffer. Such a line can be delivered through a crafted undo file, leading to a crash. This vulnerability is fixed in 9.2.0670.
  • CVE-2026-57452: Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.
  • CVE-2026-57453: Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.
  • CVE-2026-57455: Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.
  • CVE-2026-57456: Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.
6 issues left for the package maintainer to handle:
  • CVE-2025-29768: (needs triaging) Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to 9.1.1198. The impact is medium because a user must be made to view such an archive with Vim and then press 'x' on such a strange filename. The issue has been fixed as of Vim patch v9.1.1198.
  • CVE-2025-53905: (needs triaging) Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.
  • CVE-2025-53906: (needs triaging) Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.
  • CVE-2026-25749: (needs triaging) Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
  • CVE-2026-26269: (needs triaging) Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.
  • CVE-2026-46483: (needs triaging) Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-03-03 Last update: 2026-06-26 10:00
17 bugs tagged patch in the BTS normal
The BTS contains patches fixing 17 bugs, consider including or untagging them.
Created: 2026-06-02 Last update: 2026-07-08 01:31
Fails to build during reproducibility testing normal
A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!
Created: 2024-01-19 Last update: 2026-07-08 00:03
version in VCS is newer than in repository, is it time to upload? normal
vcswatch reports that this package seems to have a new changelog entry (version 2:9.2.0782-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:
commit bc3877dbef2220fbb74d333e55f5340c6a1b2e8c
Author: James McCoy <jamessan@debian.org>
Date:   Tue Jul 7 06:18:29 2026 -0400

    Skip Test_clientserver_serverlist_list() and Test_remote_serverlist()
    
    These tests currently fail when run without access to X.
    
    Revisit once https://github.com/vim/vim/pull/20719 and
    https://github.com/vim/vim/pull/20716 are resolved.
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 9f6ca07bd5d4e6adbad89c6e67c55a73a8174c36
Author: James McCoy <jamessan@debian.org>
Date:   Sat Jul 4 10:42:28 2026 -0400

    d/copyright: Add stanza for syntax/ssh{allowedsigners,authorizedkeys,knownhosts,publickey}.vim
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit d143d81ed7e4029876e6c5cb4f4c6fe7d4206237
Author: James McCoy <jamessan@debian.org>
Date:   Sat Jul 4 10:29:55 2026 -0400

    Start changelog for v9.2.0782
    
    Closes: #1139728
    Closes: #1139729
    Closes: #1139730
    Closes: #1140775
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 142d9acf912af8654bd854cae70c9d8123ea0627
Merge: b850129d3 834b8d218
Author: James McCoy <jamessan@debian.org>
Date:   Sat Jul 4 09:20:34 2026 -0400

    Merge tag 'v9.2.0782' into debian/sid
    
    v9.2.0782
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit b850129d3f91fa5c105800d4697e8cf6b945a38b
Author: James McCoy <jamessan@debian.org>
Date:   Sat May 23 22:35:31 2026 -0400

    release package vim version 2:9.2.0524-1
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit ee0166cd6bd608d025bae665c4642f692867fa89
Author: James McCoy <jamessan@debian.org>
Date:   Sat May 23 22:31:30 2026 -0400

    Remove obsolete --enable-sockerserver switch
    
    The functionality has changed and is always available when channels are
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit b6f1b9613b6c35b8ac484f6c19b3e24172616338
Author: James McCoy <jamessan@debian.org>
Date:   Sat May 23 21:01:04 2026 -0400

    Disable gtk4 configure check until new UI stabilizes
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 651753743227b2d955a66256c8016ddfc487d031
Author: James McCoy <jamessan@debian.org>
Date:   Sat May 23 21:00:35 2026 -0400

    Start changelog for v9.2.0524
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 48bb2bb53769dd861526e5cc3294ae60b9fcea73
Merge: 8cbc77e95 9a920e825
Author: James McCoy <jamessan@debian.org>
Date:   Sat May 23 20:58:26 2026 -0400

    Merge tag 'v9.2.0524' into debian/sid
    
    v9.2.0524

commit 9a920e82546dace49a0a88dced80d29a39efbdb0
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Sat May 23 19:56:10 2026 +0000

    patch 9.2.0524: spell: buffer overflow with many affix or compound flags
    
    Problem:  spell: a word in a .dic file with many postponed prefix or
              compound flags overflows the fixed-size store_afflist[MAXWLEN]
              buffer in get_pfxlist() and get_compflags().
    Solution: Add bounds checks (Yasuhiro Matsumoto).
    
    closes: #20286
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 5e3056ee83f321dfbb597975e955b0e4f9058280
Author: Antonio Giovanni Colombo <azc100@gmail.com>
Date:   Sat May 23 19:21:42 2026 +0000

    translation(it): Update Italian manpage
    
    Signed-off-by: Antonio Giovanni Colombo <azc100@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit fccc2adc98c3d6664f1f2d8ddab17b096e647986
Author: Christian Brabandt <cb@256bit.org>
Date:   Sat May 23 19:05:28 2026 +0000

    patch 9.2.0523: tests: no test for using shellescape() in combination with :!
    
    Problem:  tests: no test for using shellescape() in combination with :!
    Solution: Add a test that checks runtime files for using wrong
              combination of shellescape() with ! ex command
    
    This has lead to a few security relevant issues, so add a test that
    checks all runtime files for any ! followed by a shellescape() that does
    not use the {special} arg.
    
    related: Commit: 3fb5e58fbc63d86a3e65f1a141b0d67af2 (patch 9.2.0479:
             [security]: runtime(tar): command injection in tar plugin)
    
    closes: #20286
    
    Supported by AI
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit da1f41d5d33152d7ab90a817bd99803c5727b937
Author: John Marriott <basilisk@internode.on.net>
Date:   Sat May 23 19:00:12 2026 +0000

    patch 9.2.0522: event_nr2name() in autocmd.c can be improved
    
    Problem:  event_nr2name() in autocmd.c can be improved
    Solution: Refactor it so that event_nr2name() returns a string_T type
              (John Marriott).
    
    Additionally:
    - change the define to an enum.
    - in function auto_next_pat(), move some variables closer to where they
      are used; rename s to fmt along the way.
    
    closes: #20272
    
    Signed-off-by: John Marriott <basilisk@internode.on.net>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit b34fa59abbd4f70b595ccab435446744443914d6
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Sat May 23 18:49:43 2026 +0000

    patch 9.2.0521: GTK4: cannot resize shell after the window is shown
    
    Problem:  GTK4: cannot resize shell after the window is shown
              (Maxim Kim, after v9.2.0501)
    Solution: Always apply the requested size with
              gtk_window_set_default_size(), regardless of realized state
              (Yasuhiro Matsumoto).
    
    fixes:  #20264
    closes: #20269
    
    Co-Authored-by: Claude <noreply@anthropic.com>
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit d7e6ce7a767209ed046c8cb04091b47128892954
Author: Shad <shadow.walker@free.fr>
Date:   Sat May 23 18:43:09 2026 +0000

    patch 9.2.0520: Reversed text opacity in popup when termguicolor is set
    
    Problem:  When termguicolor is set, popup opacity seems reversed
              for the underlying text: when opacity go from 1 to 99,
              the greater opacity is, the more underlying text is readable.
    Solution: Invert popup_color and base_fg when calling blend_colors
              (Shad).
    
    fixes:  #20283
    closes: #20284
    
    Signed-off-by: Shad <shadow.walker@free.fr>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 3a54de8f441730dfe617892c7a08817252618a1c
Author: Foxe Chen <chen.foxe@gmail.com>
Date:   Sat May 23 18:35:07 2026 +0000

    patch 9.2.0519: GTK4: GUI tabline is not displayed correctly
    
    Problem:  GTK4: GUI tabline is not displayed correctly, and double
              increments the index in the for() loop
    Solution: Drop the additional increment (Foxe Chen)
    
    closes: #20299
    
    Co-Authored-by: Hirohito Higashi <h.east.727@gmail.com>
    Signed-off-by: Foxe Chen <chen.foxe@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit f42ce78f770a68a8bb15209cc6def9b7763062f6
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Sat May 23 18:25:16 2026 +0000

    patch 9.2.0518: GTK4: input method cannot compose text
    
    Problem:  GTK4: input method cannot compose text
              (lilydjwg, after v9.2.0501)
    Solution: Render the over-the-spot preedit with a GtkPopover instead of
              a separate toplevel, so the compositor keeps
              keyboard focus on the drawing area and does not disable
              text-input-v3; attach the key controller to gui.drawarea and
              filter key events manually with gtk_im_context_filter_keypress()
              (Yasuhiro Matsumoto)
    
    fixes:  #20257
    closes: #20266
    
    Co-Authored-by: lilydjwg <lilydjwg@gmail.com>
    Co-authored-by: Claude <noreply@anthropic.com>
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit cb8510d4703c13b34e178067ffe48a24c9a3ad32
Author: Yegappan Lakshmanan <yegappan@yahoo.com>
Date:   Sat May 23 18:16:22 2026 +0000

    patch 9.2.0517: quickfix: can set quickfixtextfunc in restricted/sandbox mode
    
    Problem:  quickfix: can set quickfixtextfunc in restricted/sandbox mode
              (tacdm)
    Solution: Disallow setting the quickfixtextfunc option from a sandbox
              and restricted mode (Yegappan Lakshmanan).
    
    closes: #20305
    
    Co-Authored-by: tacdm
    Signed-off-by: Yegappan Lakshmanan <yegappan@yahoo.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit ecba601e3f10fc046829877a0a4682a54cc27da0
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Sat May 23 16:07:16 2026 +0000

    runtime(doc): fix a few small problems
    
    closes: #20287
    
    Signed-off-by: zeertzjq <zeertzjq@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit e3cb9655d7b0fbd4c2a14f7e300fafae374e3be2
Author: Foxe Chen <chen.foxe@gmail.com>
Date:   Sat May 23 15:55:28 2026 +0000

    patch 9.2.0516: socketserver: spurious error when servername is taken
    
    Problem:  socketserver: when searching for a free socket path,
              socketserver_get_path() emits an error for each name that is
              already in use (after v9.2.0512).
    Solution: Add an "ignore" argument to socketserver_get_path() to
              suppress the error (Foxe Chen).
    
    Signed-off-by: Foxe Chen <chen.foxe@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>
    
    Signed-off-by: Foxe Chen <chen.foxe@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 6574102fb4a4b31c0988ea1c1de0ec4a665cc1c8
Author: Hirohito Higashi <h.east.727@gmail.com>
Date:   Sat May 23 15:47:32 2026 +0000

    runtime(doc): Tweak documentation style
    
    closes: #20296
    
    Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 37223f47b178d7e66173271e65d84de4413af6e2
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Fri May 22 23:12:27 2026 +0000

    CI: Bump github/codeql-action
    
    Bumps the github-actions group with 1 update in the / directory: [github/codeql-action](https://github.com/github/codeql-action).
    
    Updates `github/codeql-action` from 4.35.4 to 4.35.5
    - [Release notes](https://github.com/github/codeql-action/releases)
    - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
    - [Commits](https://github.com/github/codeql-action/compare/v4.35.4...v4.35.5)
    
    ---
    updated-dependencies:
    - dependency-name: github/codeql-action
      dependency-version: 4.35.5
      dependency-type: direct:production
      update-type: version-update:semver-patch
      dependency-group: github-actions
    ...
    
    closes: #20297
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 3d0a6073e560dd3b06a2f05ae01f0e9c59e68224
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Fri May 22 23:08:29 2026 +0000

    patch 9.2.0515: virtualedit=insert doesn't work during change operation
    
    Problem:  virtualedit=insert doesn't work during change operation
              (after 6.1.014).
    Solution: Make virtual_op only affect virtualedit=block (zeertzjq).
    
    related: neovim/neovim#35391
    closes:  #20298
    
    Signed-off-by: zeertzjq <zeertzjq@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit ea71d5bb01ead1f982148771799462e91136107f
Author: Foxe Chen <chen.foxe@gmail.com>
Date:   Fri May 22 22:18:03 2026 +0000

    patch 9.2.0514: GTK4: build errors when socketserver is enabled
    
    Problem:  GTK4: build errors when socketserver is enabled
              (after v9.2.0512)
    Solution: Drop unused functions (Foxe Chen)
    
    closes: #20293
    
    Signed-off-by: Foxe Chen <chen.foxe@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 25e4e46c584840806b45da20edf8219cf19801a2
Author: Christian Brabandt <cb@256bit.org>
Date:   Fri May 22 21:46:57 2026 +0000

    patch 9.2.0513: [security]: memory safety issues in spellfile.c
    
    Problem:  [security]: memory safety issues in spellfile.c
              (tacdm)
    Solution: Add recursion limit to read_tree_node(), add length limit
              check in tree_count_words(), use alloc_clear() in
              spell_read_tree().
    
    Github Security Advisory:
    https://github.com/vim/vim/security/advisories/GHSA-3h95-3962-mmvf
    
    Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit e9c793bebcad2b585b3f5d25ca6108bcb48772fe
Author: Foxe Chen <chen.foxe@gmail.com>
Date:   Fri May 22 18:30:52 2026 +0000

    patch 9.2.0512: clientserver uses binary protocol
    
    Problem:  clientserver feature uses binary protocol and is hard
              to understand
    Solution: Rewrite the code based on channels and JSON messages
              (Foxe Chen).
    
    closes: #19782
    
    Signed-off-by: Foxe Chen <chen.foxe@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 1d727b6f74896915a94f7d0e134d64cb0eac8045
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Fri May 22 18:09:33 2026 +0000

    patch 9.2.0511: configure: when GTK4 is used also links in X11 libs
    
    Problem:  configure: when GTK4 is used also links in X11 libs
              (Reilly Brogan)
    Solution: Disable linking against X11 libraries when GTK4 GUI is to be
              used (Yasuhiro Matsumoto)
    
    GTK4 does not use any X11 APIs directly; the X11 backend is loaded by
    GTK4 at runtime. Force with_x=no when --enable-gui=gtk4 so configure
    does not probe for libICE/libSM/libX11/libXt/libXdmcp/libXpm, and so
    packagers do not pull those into build dependencies. Also skip the
    XSMP X11/SM/SMlib.h header check when X11 is disabled, since USE_XSMP
    itself requires HAVE_X11.
    
    fixes:  #20268
    closes: #20289
    
    Co-authored-by: Claude <noreply@anthropic.com>
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit e3dedac77b2076210e7027b14a5927622434f014
Author: glepnir <glephunter@gmail.com>
Date:   Fri May 22 17:59:23 2026 +0000

    patch 9.2.0510: setline() mapping may trigger autoindent
    
    Problem:  setline() insert mode mapping may trigger autoindent,
              corrupting the newly inserted line content (Evgeni Chasnovski)
    Solution: Only strip autoindent whitespace when the rest of the line is
              all whitespace (glepnir).
    
    fixes:  #19363
    closes: #20290
    
    Signed-off-by: glepnir <glephunter@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit c7645fcda50f95cc098545b70ce937a986b997d1
Author: Christian Brabandt <cb@256bit.org>
Date:   Fri May 22 17:44:50 2026 +0000

    runtime(doc): add a few references to mouse behaviour
    
    fixes: #20281
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 44a1a6a33171ee34dddccf5236c38791fb489dfc
Author: Christian Brabandt <cb@256bit.org>
Date:   Thu May 21 20:15:59 2026 +0000

    runtime(doc): Update wrong shellescape() example
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 0b14d6de60dba104b3ff91461982072b5bbe95a5
Author: Antonio Giovanni Colombo <azc100@gmail.com>
Date:   Thu May 21 20:13:42 2026 +0000

    translation(it): Update Italian translation
    
    Signed-off-by: Antonio Giovanni Colombo <azc100@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit daad5ea9058fae5c5c0014a0b49963d12caea9f8
Author: Muraoka Taro <koron.kaoriya@gmail.com>
Date:   Thu May 21 20:05:14 2026 +0000

    patch 9.2.0509: term.c: compile error when LOG_TRN is enabled
    
    Problem:  compile error when LOG_TRN is enabled
    Solution: Use valid arguments (Muraoka Taro)
    
    closes: #20278
    
    Signed-off-by: Muraoka Taro <koron.kaoriya@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit b54e57ee54f0a4e6eac74b071071a9d85326de3a
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Thu May 21 19:57:06 2026 +0000

    patch 9.2.0508: completion: cannot complete user cmd :K with 'ignorecase'
    
    Problem:  completion: cannot complete user cmd :K with 'ignorecase'
              (rendcrx)
    Solution: Skip the short-circuit when 'ignorecase' is set
              (Yasuhiro Matsumoto)
    
    The set_cmd_index() short-circuit for the :k command treats ":k<X>" as
    ":k {X}" (mark argument), which makes ":kz<Tab>" never reach the
    command-name expansion path. With 'ignorecase' the same prefix on other
    letters (":gz<Tab>") completes a user command like :Gz, so the result is
    inconsistent. Skip the short-circuit when 'ignorecase' is set; default
    behaviour is preserved so the existing :k tests still pass.
    
    fixes:  #20241
    closes: #20275
    
    Co-authored-by: zeertzjq <zeertzjq@outlook.com>
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 6845c7a63d573682b82d03d4ad606d27547f9498
Author: nyngwang <nyngwang@gmail.com>
Date:   Thu May 21 19:54:22 2026 +0000

    runtime(doc): fix a typo in :map-local
    
    closes: #20276
    
    Signed-off-by: nyngwang <nyngwang@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 1dfaeb4fa358586c3fa111c5d3fea34eb4278bc9
Author: Christian Brabandt <cb@256bit.org>
Date:   Thu May 21 19:52:00 2026 +0000

    runtime(doc): re-generate vim.man
    
    related: #20186
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 06a2c7105c3d678cd0c04b934d26810af15b7470
Author: Hirohito Higashi <h.east.727@gmail.com>
Date:   Thu May 21 19:45:59 2026 +0000

    patch 9.2.0507: Vim9 class: public/protected member name clash uses same error
    
    Problem:  When a public member and a protected member in a Vim9
              class have the same name (differing only in the leading '_'),
              Vim reports E1369 "Duplicate variable", which is also used for
              plain duplicate definitions.  Users cannot tell from the
              message whether the conflict is the public/protected naming
              rule or a real duplicate.
    Solution: Add a dedicated error E1406 "Public and protected member
              have the same name" and emit it only when the name clash is
              between a public and a protected member.  Keep E1369 for
              genuine duplicate variable definitions (Hirohito Higashi).
    
    fixes:  #20240
    closes: #20277
    
    Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit ff9fd819aeca68b55c013af78edec6da7e269a8f
Author: Guilherme Puida Moreira <guilherme@puida.xyz>
Date:   Thu May 21 19:34:20 2026 +0000

    runtime(debversions): Add stonking (26.10) as Ubuntu release name
    
    closes: #20282
    
    Signed-off-by: Guilherme Puida Moreira <guilherme@puida.xyz>
    Signed-off-by: James McCoy <jamessan@jamessan.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit d0af3bcee1d91514a33fbaf19ccc2aa2ab73ba40
Author: Hirohito Higashi <h.east.727@gmail.com>
Date:   Thu May 21 19:03:50 2026 +0000

    runtime(doc): fix help tags for removed/reused error codes
    
    Problem:  Several error codes (E614, E1319, E1321, E1323, E1400, E1401,
              E1402, E1406) were removed from errors.h in v9.1.0600 but
              their *Ennn* tags remained in the help files, so :help Ennn
              jumps to obsolete locations.  E1395 was later reused with a
              new meaning ("Using a null class") in v9.1.1119, but its tag
              is still placed in the type-alias section.
    Solution: Remove the stale *Ennn* tags from the help files.  Move
              *E1395* to the vim9.txt null-values section to match its
              current meaning.  Also fix the indentation of *E1411*.
              Regenerate runtime/doc/tags.
    
    closes: #20279
    
    Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 85eb099bf2210a3882005c0bf5d47306902c999e
Author: Cyril Roelandt <tipecaml@gmail.com>
Date:   Wed May 20 21:15:33 2026 +0000

    runtime(mbsync): Properly handle values for the "Sync" keyword
    
    This has been manually tested with my personal mbsync configuration and
    with the following test file:
    
        $ cat test.mbsyncrc
        Channel Foo
        # None may not be combined with other operations
        Sync None
        Sync None New
        # First form
        Sync Pull
        Sync Push
        Sync New
        Sync Old
        Sync Upgrade
        Sync ReNew
        Sync Gone
        Sync Delete
        Sync Flags
        Sync Invalid
        # Second form
        Sync PullNew
        Sync PullOld
        Sync PullUpgrade
        Sync PullReNew
        Sync PullGone
        Sync PullDelete
        Sync PullFlags
        Sync PullFull
        Sync PullAll
        Sync PullInvalid
        Sync PushNew
        Sync PushOld
        Sync PushUpgrade
        Sync PushReNew
        Sync PushGone
        Sync PushDelete
        Sync PushFlags
        Sync PushFull
        Sync PushAll
        Sync PushInvalid
        Sync NewInvalid
        # Multiple operations
        Sync New Upgrade Gone Flags
        # Mix of the two styles (an example from the mbsync manpage)
        Sync PullNew PullGone Push
        # Syntaxically correct, though they will raise a warning in mbsync:
        Sync PullNew Pull
        Sync PullNew Gone Push
    
    closes: #20243
    
    Signed-off-by: Pierrick Guillaume <pguillaume@fymyte.com>
    Signed-off-by: Cyril Roelandt <tipecaml@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit a0931a90eeee6692556f330b5ba1fb413f9ea85d
Author: John Marriott <basilisk@internode.on.net>
Date:   Wed May 20 18:38:55 2026 +0000

    patch 9.2.0506: home_replace() function can be improved
    
    Problem:  home_replace() function can be improved
    Solution: Refactor home_replace() to return the length of the string
              (John Marriott).
    
    In addition:
    - in function set_b0_fname() move ulen into the block where it is used.
    - In function findswapname() rework logic around displaying "swap file
      already exists" dialogue so that literal message text is set once.
    
    closes: #20249
    
    Signed-off-by: John Marriott <basilisk@internode.on.net>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit aee12156ee3018efcdae87a8c2c327db386f0a5d
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Wed May 20 18:36:11 2026 +0000

    runtime(doc): fix GTK4 package name in src/INSTALL
    
    The GTK4 section in src/INSTALL pointed at libgtk-3-dev. Use
    libgtk-4-dev and note that GTK4 is not the default and requires
    --enable-gui=gtk4.
    
    closes: #20254
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit aed758986de7e677d63b1f6caa845938a2fabbdc
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Wed May 20 18:26:14 2026 +0000

    patch 9.2.0505: GTK4: text looks blurry on HiDPI displays
    
    Problem:  GTK4: text looks blurry on HiDPI displays
              (Foxe Chen, after v9.2.0501)
    Solution: Allocate the cairo surface at physical resolution and set the
              device scale, recreate it on scale-factor changes
              (Yasuhiro Matsumoto).
    
    The backing cairo image surface was created at logical pixel size, so
    GTK4 upscaled it when blitting to the physical framebuffer. Allocate
    the surface at width*scale x height*scale and apply
    cairo_surface_set_device_scale() so drawing code keeps using logical
    coordinates while the surface itself has full physical resolution.
    Also recreate the surface on notify::scale-factor when the window
    moves between monitors with different scales.
    
    fixes:  #20252
    closes: #20258
    
    Co-authored-by: Claude <noreply@anthropic.com>
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 146f46e26446f75a25457d8b00065f7057352d8e
Author: Lifepillar <lifepillar@lifepillar.me>
Date:   Wed May 20 18:20:04 2026 +0000

    runtime(context,typeset): Correct whitespace error in Log()'s 'edit' command
    
    Also drop Last Change headers as this commit comes from the plugin's
    maintainer.
    
    related: #20242
    related: #20244
    closes:  #20263
    
    Signed-off-by: Lifepillar <lifepillar@lifepillar.me>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit f7a58aee36d7fe17657b6eea6f30806050e0571d
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Wed May 20 18:01:52 2026 +0000

    patch 9.2.0504: configure: requires X11 libraries for GTK4 build
    
    Problem:  configure: requires X11 libraries for GTK4 build
              (after v9.2.0501)
    Solution: Allow to build GTK4 even when no X11 libraries are present
              (Yasuhiro Matsumoto)
    
    GTK4 does not use X11 APIs directly; the X11 backend is loaded by
    GTK4 at runtime. Skip the X11 dependency enforcement when the user
    explicitly passes --enable-gui=gtk4 so the build can succeed on
    systems without X11 development headers.
    
    closes: #20265
    
    Co-authored-by: Claude <noreply@anthropic.com>
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 129486193c16bb5c0208eff5501f9e665b7c4803
Author: Christian Brabandt <cb@256bit.org>
Date:   Wed May 20 17:56:05 2026 +0000

    runtime(getscript,vimball,rust): Use correct shellescape() form for ! ex cmd
    
    Problem:  shellescape() called without {special} flag for :! ex command
    Solution: Pass 1 as second argument to shellescape() in :! contexts
    
    related: Commit: 3fb5e58fbc63d86a3e65f1a141b0d67af2 (patch 9.2.0479:
             [security]: runtime(tar): command injection in tar plugin)
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 71bcc867c95514322abbce560fcb0dec4908951d
Author: Christian Brabandt <cb@256bit.org>
Date:   Wed May 20 17:34:22 2026 +0000

    patch 9.2.0503: Makefile: Missing dependencies for new GTK4 source files
    
    Problem:  Makefile: Missing dependencies for new GTK4 source files
              (Reilly Brogan, after v9.2.0501)
    Solution: Re-run make depend, clean the result up and include the
              missing dependencies for the GTK4 source files
    
    fixes: #20267
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 0fa3603d6d9cec774f3060a33c59778c9baf0e41
Author: Christian Brabandt <cb@256bit.org>
Date:   Wed May 20 09:13:52 2026 +0200

    runtime(doc): update cmdline-history (after v9.1.0895)
    
    Reported-by: Hernán Ibarra Mejia <hernan@ibarramejia.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 35b767a090cc7b918dcafc9feb1a78cf0938d6bc
Author: J. Paulo Seibt <jpseibt@gmail.com>
Date:   Tue May 19 18:51:14 2026 +0000

    patch 9.2.0502: runtime(netrw): bookmark handling can be improved
    
    Problem:  To goto or delete a bookmark, one needs to prefix a count
              for the bookmark number (e.g., "2gb" to open bookmark#2).
              As the bookmark list gets or deletes entries, the numbers
              keep changing, requiring listing the bookmarks with qb to
              discover the desired bookmark number. Typing gb or mB
              without a count targets g:netrw_bookmarklist[-1].
    Solution: If no count is given to gb or mB, list all bookmarks and
              prompt for a number using inputlist(), similar to tag jump
              with g].
    
    closes: #20211
    
    Signed-off-by: J. Paulo Seibt <jpseibt@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 07dc94023ca9e6cecb139d855814bda8a985d98c
Author: Christian Brabandt <cb@256bit.org>
Date:   Tue May 19 18:46:59 2026 +0000

    runtime(doc): document new GTK4 GUI in version9.txt
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 7a57f597562ccd6fb8762cfeb7ed1326fd69bc89
Author: Aliaksei Budavei <0x000c70@gmail.com>
Date:   Tue May 19 18:30:50 2026 +0000

    runtime(syntax-tests): Always delete our copy of "src/testdir/vimcmd"
    
    Also prune this file whenever:
    - tests cannot be run on this OS;
    - tests fail and no QuitPre event is supported for ":cquit".
    
    related: #19127
    closes:  #20247
    
    Signed-off-by: Aliaksei Budavei <0x000c70@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 8cbc77e957106160cfc9c46215cee1db54c3fe6b
Author: James McCoy <jamessan@debian.org>
Date:   Sat May 9 19:41:47 2026 -0400

    release package vim version 2:9.2.0461-1
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit e3fc7d5e56b1d773ad1819a89a4dd3c23302ca2f
Author: James McCoy <jamessan@debian.org>
Date:   Sat May 9 16:45:07 2026 -0400

    Update changelog for 9.2.0461
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 060d57f64709906a8266c8465f7de1accebdea43
Merge: 503107706 4f610f07b
Author: James McCoy <jamessan@debian.org>
Date:   Sat May 9 16:31:44 2026 -0400

    Merge tag 'v9.2.0461' into debian/sid
    
    v9.2.0461

commit 4f610f07b76b4f34d011179c2531ab4517ac11e8
Author: Christian Brabandt <cb@256bit.org>
Date:   Sat May 9 14:41:37 2026 +0000

    patch 9.2.0461: Corrupted undofile causes use-after-free
    
    Problem:  The four pointer-resolution loops in u_read_undo() lack
              an i != j guard, so a header whose uh_next.seq equals
              its own uh_seq resolves uh_next.ptr to itself.  On
              buffer close, u_freeheader() sees uhp->uh_next.ptr !=
              NULL and skips updating b_u_oldhead, so u_blockfree()
              dereferences the freed header on the next iteration.
              The same pattern applies to uh_prev, uh_alt_next and
              uh_alt_prev.  A crafted .un~ file in the same directory
              as a text file can trigger the use-after-free and
              subsequent double-free when the buffer is closed.
              (Daniel Cervera)
    Solution: Add an i != j guard to each of the four resolution
              loops, matching the guard already present in the
              duplicate-detection loop above.
    
    closes: #20168
    
    Supported by AI
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit abd74fa122451882b3b4e7b83813cf3b17e8109a
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Sat May 9 14:18:53 2026 +0000

    patch 9.2.0460: did_set_shellpipe_redir() in wrong file
    
    Problem:  did_set_shellpipe_redir() is a callback for a string option,
              but is not in optionstr.c (after 9.2.0458).
    Solution: Move it to optionstr.c. Also add missing change from patch
              9.2.0455 (zeertzjq).
    
    related: #20159
    related: #20164
    closes:  #20170
    
    Signed-off-by: zeertzjq <zeertzjq@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 124f8bececb1a50e85965d12ccd52c6c25a73122
Author: Christian Brabandt <cb@256bit.org>
Date:   Sat May 9 14:13:52 2026 +0000

    patch 9.2.0459: tests: test_termcodes fails (after v9.2.0456)
    
    Problem:  tests: test_termcodes fails, because it disabled DECRQM, but
              did not adjust the expected values in the test (after v9.2.0456)
    Solution: Update the test
    
    related: #20161
    closes:  #20173
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit fbec828c7e3144aad2c9b9a207773ad0a4a46b9a
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Sat May 9 13:49:43 2026 +0000

    CI: Bump the github-actions group across 1 directory with 2 updates
    
    Bumps the github-actions group with 2 updates in the / directory: [github/codeql-action](https://github.com/github/codeql-action) and [actions/labeler](https://github.com/actions/labeler).
    
    Updates `github/codeql-action` from 4.35.2 to 4.35.3
    - [Release notes](https://github.com/github/codeql-action/releases)
    - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
    - [Commits](https://github.com/github/codeql-action/compare/v4.35.2...v4.35.3)
    
    Updates `actions/labeler` from 6 to 6.0.1
    - [Release notes](https://github.com/actions/labeler/releases)
    - [Commits](https://github.com/actions/labeler/compare/v6...v6.0.1)
    
    ---
    updated-dependencies:
    - dependency-name: github/codeql-action
      dependency-version: 4.35.3
      dependency-type: direct:production
      update-type: version-update:semver-patch
      dependency-group: github-actions
    - dependency-name: actions/labeler
      dependency-version: 6.0.1
      dependency-type: direct:production
      update-type: version-update:semver-patch
      dependency-group: github-actions
    ...
    
    closes: #20171
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 84ae09dd79b9888ba71dc2a28f9afcac3e7b8901
Author: Christian Brabandt <cb@256bit.org>
Date:   Fri May 8 21:29:21 2026 +0000

    patch 9.2.0458: Crash with invalid shellredir/shellpipe value
    
    Problem:  Crash with invalid shellredir/shellpipe value
              (bfredl)
    Solution: Validate the option and allow only a single "%s".
    
    fixes:  #20157
    closes: #20159
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 2f00656b3480ed5384ce0513402025de9643462c
Author: Christian Brabandt <cb@256bit.org>
Date:   Fri May 8 21:22:28 2026 +0000

    patch 9.2.0457: Compile warning about unused variable
    
    Problem:  Compile warning about unused variable
              (Tony Mechelynck, after v9.2.0452)
    Solution: Initialize the variable
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 7644d9d6114d0b17bfaebb069dd68ae0d7d907fb
Author: Foxe Chen <chen.foxe@gmail.com>
Date:   Fri May 8 21:14:52 2026 +0000

    patch 9.2.0456: stray p character displayed on some terms
    
    Problem:  stray p character displayed on some terms
    Solution: Make sending DECRQM more strict and disable it for a few more
              terminals (Foxe Chen)
    
    fixes:  #20156
    fixes:  #20140
    closes: #20161
    
    Signed-off-by: Foxe Chen <chen.foxe@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 9694ff58fe510bf3906a7b6817429e29d5975987
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Fri May 8 21:09:48 2026 +0000

    patch 9.2.0455: 'findfunc' only allows extra info for cmdline completion
    
    Problem:  'findfunc' only allows extra info for cmdline completion, not
              for actually finding files (Maxim Kim, after 9.2.0451).
    Solution: Handle returning a list of dicts when actually finding files.
              Also fix crash on NULL string (zeertzjq).
    
    fixes:  #20163
    closes: #20164
    
    Signed-off-by: zeertzjq <zeertzjq@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit b207b5a2a38dd8f45417e69c2e659c4c05ad3c1e
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Fri May 8 21:06:08 2026 +0000

    patch 9.2.0454: tests: no test that "abbr" in customlist completion is shown
    
    Problem:  No test that "abbr" in customlist completion is shown in pum.
    Solution: Add some "abbr" fields to the existing test (zeertzjq).
    
    closes: #20165
    
    Signed-off-by: zeertzjq <zeertzjq@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit c895390e58fb080f94dcc1c60757a3d697698515
Author: Hirohito Higashi <h.east.727@gmail.com>
Date:   Fri May 8 20:57:34 2026 +0000

    patch 9.2.0453: vertical separator of statusline blend into active statusline
    
    Problem:  Since v9.2.0349, the vertical separator cell at status line
              rows is drawn as a space with StatusLine highlight, hiding the
              user's 'fillchars' "vert" or "stl"/"stlnc" character at that
              cell (after v9.2.0349)
    Solution: Drop the status line blend.  At status line rows the separator
              cell goes back to using the status fillchar when adjacent
              status lines are connected, or the vsep character otherwise.
              (Same as before v9.2.0348)
    
    Keep the VertSplitNC highlight group introduced in v9.2.0349.  The
    highlight (VertSplit vs VertSplitNC) is selected based on whether the
    current window is adjacent to the separator at the row.
    
    Vertical separators are redrawn on current-window changes and on
    :redrawstatus[!] so the VertSplit/VertSplitNC highlight is updated
    immediately.
    
    fixes:   #20089
    related: #19951
    closes:  #20167
    
    Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
    Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit b9871cef1073dfbcb74b73d9b939b374d6bd50e5
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Thu May 7 19:40:16 2026 +0000

    patch 9.2.0452: screen.c popup opacity blend logic is duplicated
    
    Problem:  screen_line() has four near-identical blocks computing
              the popup_attr, the combined attr, the blend value and
              the underlying base attr in sequence when handling popups
              with opacity.  The duplication makes the function long
              and hard to follow, and changes have to be applied to all
              four sites.
    Solution: Extract the shared computation into popup_blend_with_base()
              and popup_base_attr_or() helpers, and cache per-popup
              attrs once via popup_opacity_T.  No behavior change
              (Yasuhiro Matsumoto).
    
    closes: #20154
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 58124789aaf98fd96cd94a738633fd652a5e079a
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Thu May 7 19:29:06 2026 +0000

    patch 9.2.0451: 'findfunc' can't return extra info for cmdline completion
    
    Problem:  'findfunc' can't return extra info for cmdline completion
              (Maxim Kim).
    Solution: Handle 'findfunc' return value in cmdline completion like that
              of "customlist" functions (zeertzjq).
    
    fixes:  #20155
    closes: #20158
    
    Signed-off-by: zeertzjq <zeertzjq@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 92993329178cb1f72d700fff45ca86e1c2d369f8
Author: Christian Brabandt <cb@256bit.org>
Date:   Wed May 6 20:50:00 2026 +0200

    patch 9.2.0450: [security]: heap buffer overflow in spellfile.c read_compound()
    
    Problem:  read_compound() in spellfile.c computes the size of the regex
              pattern buffer using signed-int arithmetic on the attacker
              controlled SN_COMPOUND sectionlen.  With sectionlen=0x40000008
              and UTF-8 encoding active the multiplication wraps to 27 while
              the per-byte loop writes up to ~1B bytes, overflowing the heap.
              Reachable when loading a crafted .spl file (e.g. via 'set spell'
              after a modeline sets 'spelllang').  The cp/ap/crp allocations
              have the same int + 1 overflow class (Daniel Cervera)
    Solution: Use type size_t as buffer size and reject values larger than
              COMPOUND_MAX_LEN (100000).  Apply the same size_t treatment to
              the cp/ap/crp allocations.
    
    Github Advisory:
    https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv
    
    Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 4cbdef8e30cd5da5d3a0941ab88bf082b0b1e164
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Wed May 6 18:24:51 2026 +0000

    runtime(vim9): Check cmd.exe on WSL is executable
    
    closes: #20150
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 0ab4316fced588dd8d5aba1284c0ada14aa8eb7a
Author: Christian Brabandt <cb@256bit.org>
Date:   Wed May 6 18:17:00 2026 +0000

    patch 9.2.0449: Make proto fails in non GTK builds
    
    Problem:  Make proto fails when not building the GTK gui
    Solution: Test for $GLIB_COMPILE_RESOURCES as done elsewhere
    
    closes: #20145
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 4bcc8ba93d4d7b6b216dc6a0365e21676b70c715
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Wed May 6 18:02:09 2026 +0000

    patch 9.2.0448: Vim9: dangling cmdline pointer after skip_expr_cctx()
    
    Problem:  Vim9: dangling cmdline pointer after skip_expr_cctx()
              (Foxe Chen)
    Solution: Extract the cmdline restoration logic from compile_lambda into
              a helper restore_cmdline_arg() and call it from
              skip_expr_cctx() too, so a skipped lambda inside an "else"
              branch does not leave "*arg" pointing into freed evalarg
              memory (Yasuhiro Matsumoto).
    
    fixes:  #20147
    closes: #20148
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit c06002f3cb07c374bfc1a1310cf13ee1914e86da
Author: magnus-rattlehead <magnus-rattlehead@users.noreply.github.com>
Date:   Tue May 5 20:35:32 2026 +0000

    patch 9.2.0447: cindent does not ignore comments
    
    Problem:  When find_start_brace() scans backwards for the enclosing
              block, '{' and '}' inside // and /* */ comments are counted,
              producing wrong indent for code following such comments
              (rendcrx).
    Solution: Implement FM_SKIPCOMM in findmatchlimit() to track block-
              comment state and skip matches inside comments. Pass
              FM_SKIPCOMM from cindent's call sites
              (find_start_brace, find_match_char, cin_iswhileofdo,
              get_c_indent).
    
    fixes:  #4
    fixes:  #648
    fixes:  #19578
    closes: #19581
    closes: #20111
    
    Signed-off-by: magnus-rattlehead <guranjakustivi@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 7ccc273a4cb6012e5afbdb94d0f2597bc01fe2fd
Author: J. Paulo Seibt <jpseibt@gmail.com>
Date:   Tue May 5 20:06:15 2026 +0000

    patch 9.2.0446: runtime(netrw): off-by-one bug in s:NetrwUnMarkFile()
    
    Problem:  off-by-one bug in s:NetrwUnMarkFile()
    Solution: Correctly loop through all buffers to unlet all variables
              (J. Paulo Seibt)
    
    When the function loops through buffers to clear s:netrwmarkfilelist_#
    and s:netrwmarkfilemtch_#, it skips the last one at bufnr('$'), messing
    up mark highlights and causing other functions that operate on those
    arrays (like delete or rename) to target stale marked files.
    
    The bufnr() help page says that bufnr("$") returns the highest buffer
    number of existing buffers, so while ibuf < bufnr("$") does not clear
    the last buffer-local arrays.
    
    To reproduce:
    
    Just opening a fresh Vim and running :Ex opens a netrw buffer at the
    highest number. Then, typing mu after marking some files triggers the
    mark highlight bug, and finally typing D would act like calling the
    delete function against the previous marked files, as the buffer-local
    arrays where not touched by s:NetrwUnMarkFile.
    
    closes: #20129
    
    Signed-off-by: J. Paulo Seibt <jpseibt@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 40fc78f0a185f003844334e7c9dd217d6d993143
Author: Jesse Rosenstock <jmr@google.com>
Date:   Tue May 5 19:50:46 2026 +0000

    patch 9.2.0445: win_fix_scroll() called before win_comp_pos() in command_height()
    
    Problem:  win_fix_scroll(true) is called before win_comp_pos() in
              command_height().
    Solution: Move win_fix_scroll(true) after win_comp_pos(), matching the
              ordering used in win_drag_status_line() (Jesse Rosenstock).
    
    Patch 9.2.0413 added win_fix_scroll(true) to command_height() to handle
    splitkeep when cmdheight changes, but placed the call before win_comp_pos().
    win_fix_scroll() reads w_winrow to detect window movement
    (https://github.com/vim/vim/blob/620557bd48865fa3d927901764d2747bf68597b5/src/window.c#L7266),
    but w_winrow is not recomputed until win_comp_pos() runs
    (https://github.com/vim/vim/blob/620557bd48865fa3d927901764d2747bf68597b5/src/window.c#L6516).
    This causes incorrect scroll adjustments and was breaking
    Test_smoothscroll_incsearch on macOS CI.
    
    closes: #20138
    
    Co-authored-by: Gemini
    Signed-off-by: Jesse Rosenstock <jmr@google.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 88fb739918a0d2ca4277e1e79b4fd5799e9b0128
Author: Christian Brabandt <cb@256bit.org>
Date:   Tue May 5 19:47:19 2026 +0000

    patch 9.2.0444: Cannot set 'path' option via modeline
    
    Problem:  Cannot set 'path' option via modeline (zeertzjq, after v9.2.0435)
    Solution: Revert the part that disallows setting 'path' via modeline.
    
    closes: #20137
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit cf947e7ef09fc8a63f447b54b107585b8f3b7abe
Author: Hirohito Higashi <h.east.727@gmail.com>
Date:   Tue May 5 19:02:59 2026 +0000

    patch 9.2.0443: GUI: cancelling save dialog overwrites or discards unnamed buffer
    
    Problem:  When closing gvim with an unsaved unnamed buffer, choosing
              "Yes" in the "Save changes?" dialog and then "Cancel" in the
              file selection dialog either silently writes the buffer to a
              file named "Untitled" (overwriting any existing file with
              that name) or discards the buffer altogether
              (vibs29, after v9.1.0265).
    Solution: In dialog_changed(), if browse_save_fname() leaves the buffer
              without a file name, treat it as a cancel and return without
              saving.  Also stop clearing the modified flag in the restore
              path on write failure, so the unsaved changes are kept and
              the caller (e.g. gui_shell_closed()) can also cancel the
              close.  Pre-fill the file dialog with "Untitled" to match
              the preceding "Save changes to ..." prompt.  Add a test for
              the write-failure path (Hirohito Higashi).
    
    fixes:  #20132
    closes: #20143
    
    Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 2bfddbea47e1afa79ecd094040418abdba88bc83
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Tue May 5 18:56:56 2026 +0000

    patch 9.2.0442: completion: i_CTRL-X_CTRL-V doesn't use dict from customlist
    
    Problem:  Completion with i_CTRL-X_CTRL-V doesn't use dict from cmdline
              "customlist" completion.
    Solution: Include abbr/kind/menu/info in the completion items
              (zeertzjq).
    
    closes: #20139
    
    Signed-off-by: zeertzjq <zeertzjq@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 1903020b82eb49c26c8f83ad29f7f2d1d317a81e
Author: Arnaud Rebillout <elboulangero@gmail.com>
Date:   Mon May 4 20:31:51 2026 +0000

    runtime(autopkgtest): update syntax script
    
    Fix some typos, and move a deprecated keyword where it belongs
    
    closes: #20141
    
    Signed-off-by: Arnaud Rebillout <arnaudr@debian.org>
    Signed-off-by: James McCoy <jamessan@jamessan.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit b10159bcc22aa1c976234a6b2677f11438bef953
Author: mityu <mityu.mail@gmail.com>
Date:   Mon May 4 20:24:07 2026 +0000

    Fix wrong comment in getchar.c
    
    The comment for `do_key_input_pre()` function says that it handles the
    InsertCharPre autocommand, but what the function actually handles is the
    KeyInputPre autocommand.
    
    closes: #20142
    
    Signed-off-by: mityu <mityu.mail@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 8c7d824b73ff939890f13c3792e45833a651a840
Author: Hirohito Higashi <h.east.727@gmail.com>
Date:   Mon May 4 20:03:46 2026 +0000

    patch 9.2.0441: statusline: click handler not called on multi-line statusline
    
    Problem:  With a multi-line statusline clicking on a "%[FuncName]...%[]"
              or "%@FuncName@..." region defined on a row other than the
              last drawn row does not invoke the handler (Christian
              Robinson, after v9.2.0338)
    Solution: In win_redr_custom() the click region table reflects only the
              last iteration of the per-row draw loop, so click regions are
              recorded only for the last row.  Move the click-region
              resolution inside the loop and append regions for each row
              using vim_realloc().  This also fixes a leak of
              clicktab[].funcname for non-last rows (Hirohito Higashi).
    
    fixes:  #20116
    closes: #20120
    
    Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
    Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 0c998003bc6ae20e10a6a7362edf52da2eb12019
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Mon May 4 19:58:27 2026 +0000

    patch 9.2.0440: MS-Windows: cursor flicker during update_screen()
    
    Problem:  MS-Windows: cursor flicker during update_screen()
    Solution: Hide the cursor during update_screen() to avoid Windows ConPTY
              flicker (Yasuhiro Matsumoto).
    
    On terminals that do not honor synchronized output mode (e.g. Windows
    ConPTY), update_screen() emits cell positioning and content as multiple
    Win32 console writes through mch_write(), which the terminal renders as
    separate frames.  This shows up as the cursor briefly jumping to column
    1 of rows being redrawn, especially during async redraws around the
    popup completion menu.
    
    Disable the cursor with cursor_off() at the start of update_screen()
    and restore it with cursor_on() at the end, but only when synchronized
    output mode is not active.  When it is, the redraw is already atomic
    from the terminal's view and hiding the cursor would only add visible
    blink with no benefit.
    
    closes: #20121
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 3bfffcc29054faff2dbec2d765317ee09e9ef827
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Mon May 4 19:53:10 2026 +0000

    patch 9.2.0439: completion: info popup not removed in cmdline mode
    
    Problem:  Info popup isn't removed when selecting an item that doesn't
              have "info" in cmdline completion, which is inconsistent with
              Insert mode behavior.
    Solution: Set pum_call_update_screen in cmdline mode (zeertzjq).
    
    closes: #20128
    
    Signed-off-by: zeertzjq <zeertzjq@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 20a124a6e0e2445c500ccc7c496a8fe5d334aed8
Author: Jesse Rosenstock <jmr@google.com>
Date:   Mon May 4 19:22:25 2026 +0000

    patch 9.2.0438: tests: test_plugin_termdebug is flaky
    
    Problem:  Test_termdebug_tbreak(), Test_termdebug_basic(), and
              Test_termdebug_toggle_break() use synchronous assert_equal()
              to check breakpoint signs immediately after sending commands
              to gdb.  On slow CI (ASAN, ARM64, macOS) gdb may not have
              processed the response yet, causing the sign to be missing.
    Solution: Wrap the three assertions in WaitForAssert() to poll until
              the signs are placed, matching the pattern already used by
              the other assertions in the same tests (Jesse Rosenstock).
    
    closes: #20133
    
    Co-authored-by: Gemini
    Signed-off-by: Jesse Rosenstock <jmr@google.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit bb807ebc8a7a6ad3f3d330cf19ce775cb40a2811
Author: Hirohito Higashi <h.east.727@gmail.com>
Date:   Mon May 4 19:17:52 2026 +0000

    runtime(doc): Tweak documentation style
    
    closes: #20134
    
    Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit cb0b4cf45c627263c844348a0ec6388dcfef9fcb
Author: Felipe Matarazzo <felipemps@protonmail.com>
Date:   Mon May 4 19:10:37 2026 +0000

    Fix a few more typos
    
    closes: #20135
    
    Signed-off-by: Felipe Matarazzo <felipemps@protonmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 9d3019104c37bad56ff5bdc7614b26cb3fea7ce4
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Sun May 3 18:37:05 2026 +0000

    patch 9.2.0437: MS-Windows: cursor flicker in vtp mode
    
    Problem:  MS-Windows: cursor flicker in vtp mode
    Solution: Skip mch_update_cursor() in cursor_visible() when vtp is
              active (Yasuhiro Matsumoto).
    
    In vtp (ConPTY) mode the cursor visibility is controlled by DECTCEM
    (\033[?25h / \033[?25l).  The follow-up call to mch_update_cursor() then
    re-emits DECSCUSR (\033[0 q etc.) on every visibility toggle even though
    the cursor shape did not change.  Some terminals briefly redisplay the
    cursor when DECSCUSR arrives, so this can cause a visible flash at the
    position the cursor will be moved to next (e.g. column 0 ahead of a line
    redraw).
    
    In non-vtp mode the call is still required because SetConsoleCursorInfo()
    inside mch_set_cursor_shape() reads s_cursor_visible to apply the
    visibility change, so keep that path unchanged.
    
    closes: #20122
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 77677c33dec485aadd371da75cce55d449b51798
Author: Christian Brabandt <cb@256bit.org>
Date:   Sun May 3 18:32:11 2026 +0000

    patch 9.2.0436: Buffer overflow when parsing overlong errorformat lines
    
    Problem:  When an error line in a file passed to :cfile / :cgetfile is
              longer than IOSIZE, qf_parse_file_pfx() copies the tail
              into the fixed-size IObuff with STRMOVE(), overflowing the heap buffer.
              The same code path can also loop indefinitely because
              qf_parse_file_pfx() always returns QF_MULTISCAN when a
              tail is present, and qf_init_ext() unconditionally goes
              to "restofline" without bounding the tail length (Nabih).
    Solution: Remove the STRMOVE() into IObuff.  In the QF_MULTISCAN
              branch, alias linebuf into the tail directly and update
              linelen, requiring strict progress (new length less than
              the previous length) before retrying; otherwise ignore
              the line.
    
    closes: #20126
    
    Supported by AI
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0
Author: Christian Brabandt <cb@256bit.org>
Date:   Sun May 3 16:10:03 2026 +0000

    patch 9.2.0435: [security]: backticks in 'path' may cause shell execution on completion
    
    Problem:  [security]: Backticks enclosed shell commands in the 'path'
              option value are executed during completion (q1uf3ng).
    Solution: Skip path entries containing backticks, add P_SECURE to 'path'
              option, so that it cannot be set from a modeline (for symmetry with
              the 'cdpath' option)
    
    Github Advisory:
    https://github.com/vim/vim/security/advisories/GHSA-hwg5-3cxw-wvvg
    
    Supported by AI.
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit fde5a56ecbf9101314ddcc572533e147a9fb11ff
Author: Christian Brabandt <cb@256bit.org>
Date:   Sun May 3 17:47:50 2026 +0000

    patch 9.2.0434: cscope: filename interpreted by /bin/sh
    
    Problem:  cs_create_connection() builds the cscope command by
              interpolating csinfo[i].fname (and ppath, flags) into a
              string and lets the shell parse it.  Shell metacharacters
              in a database filename are therefore evaluated by /bin/sh
              before cscope is exec'd, rather than being passed through as a
              literal path (q1uf3ng)
    Solution: Build argv directly and execvp() the cscope binary
              without an intervening shell.
    
    closes: #20119
    
    Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 5c700152ae23c91b6edef3fa3e7ba06d40be0f9e
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Sat May 2 16:04:38 2026 +0000

    patch 9.2.0433: customlist completion cannot supply pum metadata
    
    Problem:  customlist completion cannot supply pum metadata
    Solution: Allow each item returned by a customlist function to be
              either a string or a Dict with keys "word", "abbr", "kind",
              "menu" and "info" (Yasuhiro Matsumoto).
    
    closes: #20100
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 3bd25c63b4eda363683c06b0dcc58e74f563d3f2
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Sat May 2 15:49:17 2026 +0000

    patch 9.2.0432: blob to string conversion can be improved
    
    Problem:  blob to string conversion can be improved
    Solution: Compute the output size up front and use a single alloc plus
              mch_memmove() (Yasuhiro Matsumoto).
    
    Replace per-byte ga_append/snprintf loops with bulk allocation and
    mch_memmove in three hot paths: blob2string() (used by string()),
    string_from_blob(), and the UTF-16/UCS path of f_blob2str(). For a
    16 MiB blob, string(blob) is ~28x faster and blob2str() is ~2x faster.
    
    Benchmark (16 MiB blob, 5 iterations, total seconds):
    
    | | Before | After | Speedup |
    |---|---:|---:|---:|
    | `string(blob)` | 6.422 | 0.225 | 28.5x |
    | `blob2str(b)` | 0.504 | 0.265 | 1.90x |
    | `blob2str(b, {encoding: 'utf-8'})` | 0.507 | 0.282 | 1.80x |
    | `blob2str(b, {encoding: 'utf-16le'})` | 0.407 | 0.202 | 2.01x |
    
    closes: #20112
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit e1e92fea92ed80dd10ff0cb325433a97c1826b6a
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Sat May 2 15:39:55 2026 +0000

    patch 9.2.0431: blob encoding can be improved
    
    Problem:  blob encoding can be improved
    Solution: Speed up blob encoding by avoiding per-byte ga_append()
              (Yasuhiro Matsumoto)
    
    Replace the per-byte ga_append loop in the VAR_BLOB branch of
    json_encode_item() with a single ga_grow for the worst case
    (2 + 4 * blen) and direct writes through a local pointer. Also
    read blob bytes through a local char_u* instead of going through
    blob_get() for each byte.
    
    Benchmark (1 MiB blob, 5 iterations, total seconds, median of 3 runs):
    
    | byte distribution | Before | After | Speedup |
    |---|---:|---:|---:|
    | 1-digit (0–9)     | 0.0254 | 0.0174 | 1.46x |
    | 2-digit (10–99)   | 0.0344 | 0.0064 | 5.38x |
    | 3-digit (100–255) | 0.0539 | 0.0102 | 5.28x |
    | mixed (0–255)     | 0.0335 | 0.0093 | 3.60x |
    
    closes: #20113
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 2219c890136f4c809ca4fa64d357ae46442bfa92
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Sat May 2 15:20:18 2026 +0000

    patch 9.2.0430: tests: Test_shortmess_F3() is flaky on MS-Windows
    
    Problem:  tests: Test_shortmess_F3() is flaky on MS-Windows
    Solution: Increase the sleep to 3s (Yasuhiro Matsumoto)
    
    On MS-Windows time_differs() treats mtime as unchanged unless st_mtime
    differs by more than 1 second, so a 2-second sleep can fall short when
    the two writes straddle a second boundary. Bump the non-nanotime sleep
    to 3 seconds.
    
    closes: #20117
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 503107706dc699a52c3b399e67b1d163c600bc02
Author: James McCoy <jamessan@debian.org>
Date:   Sat May 2 10:40:28 2026 -0400

    release package vim version 2:9.2.0428-1
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 5007b15639fb465ead585ff986e772498a4bde40
Author: James McCoy <jamessan@debian.org>
Date:   Fri May 1 20:44:15 2026 -0400

    Bump changelog to 9.2.0428
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit c772f6af820a72f78ea3dd018c059ce3ae72885a
Merge: 9cbb64573 59e59a62b
Author: James McCoy <jamessan@debian.org>
Date:   Fri May 1 20:43:28 2026 -0400

    Merge tag 'v9.2.0428' into debian/sid
    
    v9.2.0428

commit 59e59a62b417c6cee7384718120a9378ee347064
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Fri May 1 16:28:51 2026 +0000

    patch 9.2.0428: popup: no opacity support for completepopup/previewpopup
    
    Problem:  popup: no opacity support for completepopup/previewpopup
    Solution: Add support opacity: suboption for the 'completeopt'.
    
    Accepts opacity:0-100 with the same semantics as popup_create()'s
    opacity option, allowing the info / preview popup to blend with
    the background.
    
    closes: #20099
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 7b218ae98c0f9a26ade91f0950e5c43d3c3c5b2b
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Fri May 1 16:10:21 2026 +0000

    patch 9.2.0427: popup: opacity blend may leaks white bg color
    
    Problem:  popup: opacity blend may leaks white bg color
    Solution: Add cterm color blending for 256 color terminals, use
              COLOR_INVALID() macro to check for invalid color
              (Yasuhiro Matsumoto)
    
    When a textprop highlight only set gui=undercurl/guisp (no fg/bg), the
    CTERMCOLOR sentinel was treated by hl_blend_attr() as a real near-white
    color, leaking white bg onto textprop-covered cells under an opacity
    popup or pum.  Add a cterm color blending path that approximates blends
    in the xterm 256-color palette using the gui RGB when available, so
    opacity now has a visible effect even without 'termguicolors' (in
    256-color terminals).  Below 256 colors the blend is skipped.
    
    Also document the requirement (GUI, 'termguicolors', or 256-color
    terminal) and update existing pumopt/popupwin opacity screendumps to
    reflect the new blended output.
    
    closes: #20095
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit cf5d7102b9624f1bf230b6efad22f9bd0b39bd53
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Fri May 1 16:01:03 2026 +0000

    patch 9.2.0426: tests: still some flaky screendump tests
    
    Problem:  tests: still some flaky screendump tests
              (James McCoy)
    Solution: Replace flaky VerifyScreenDump checks with assert_* assertions
              for Test_visual_block_scroll and Test_scrolloffpad_with_folds,
              and remove the now-unused dump files, mark those tests as
              flaky (which happened previously for screendump tests
              automatically) (Yasuhiro Matsumoto).
    
    fixes:   #20096
    related: #20095
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit d25f8d1b2c6e0cbd390a36884c95edc88f1b3d69
Author: Shougo Matsushita <Shougo.Matsu@gmail.com>
Date:   Fri May 1 14:54:56 2026 +0000

    patch 9.2.0425: Cannot silence undo/redo messages
    
    Problem:  Cannot silence undo/redo messages
    Solution: Add "u" flag to 'shortmess' option
              (Shougo Matsushita).
    
    fixes:  #20049
    closes: #20107
    
    Signed-off-by: Shougo Matsushita <Shougo.Matsu@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit ec8b8bd82a905f0faf1a73bf57381597f0e25654
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Fri May 1 13:29:01 2026 +0000

    patch 9.2.0424: popup: flicker when wildtrigger() refreshes the popup menu
    
    Problem:  popup: flicker when wildtrigger() refreshes the popup menu
    Solution: Wrap the pum teardown and cmdline redraw in synchronized
              terminal output (Yasuhiro Matsumoto).
    
    Reduces flicker when wildtrigger() refreshes the popup on every
    keystroke and the cmdline is wrapped: the un-scroll inside
    update_screen() and the re-scroll inside redrawcmd() are emitted as
    one atomic terminal update.
    
    closes: #20081
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 587447ec64ffd9e6eaba329ffd9d778159ea6e32
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Fri May 1 13:25:31 2026 +0000

    patch 9.2.0423: popup: wrapped cmdline truncated with wildoptions=pum
    
    Problem:  popup: wrapped cmdline truncated with wildoptions=pum
    Solution: Call msg_starthere() in redrawcmd() to reset lines_left
              before each redraw (Yasuhiro Matsumoto).
    
    redrawcmd() leaves lines_left at its previous value, which decrements
    across successive redraws (e.g. when wildtrigger() refreshes the popup
    on every keystroke) until 0, after which msg_no_more aborts drawing
    the wrapped cmdline. Call msg_starthere() to reset it.
    
    related: #20081
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>
Created: 2026-07-04 Last update: 2026-07-07 11:30
lintian reports 11 warnings normal
Lintian reports 11 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2026-05-10 Last update: 2026-05-10 17:01
AppStream hints: 2 warnings normal
AppStream found metadata issues for packages:
  • vim-common: 1 warning
  • vim-gui-common: 1 warning
You should get rid of them to provide more metadata about this software.
Created: 2020-06-01 Last update: 2020-06-01 01:13
debian/patches: 3 patches to forward upstream low

Among the 3 debian patches available in version 2:9.2.0524-1 of the package, we noticed the following issues:

  • 3 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2023-02-26 Last update: 2026-05-24 16:00
Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2020-02-26 Last update: 2023-09-13 08:27
testing migrations
  • This package is part of the ongoing testing transition known as python3.14-default. Please avoid uploads unrelated to this transition, they would likely delay it and require supplementary work from the release managers. On the other hand, if your package has problems preventing it to migrate to testing, please fix them as soon as possible. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
  • This package will soon be part of the auto-perl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
  • This package will soon be part of the perl-5.42 transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
news
[rss feed]
  • [2026-07-08] Accepted vim 2:9.2.0782-1 (source) into unstable (James McCoy)
  • [2026-05-29] vim 2:9.2.0524-1 MIGRATED to testing (Debian testing watch)
  • [2026-05-24] Accepted vim 2:9.2.0524-1 (source) into unstable (James McCoy)
  • [2026-05-14] vim 2:9.2.0461-1 MIGRATED to testing (Debian testing watch)
  • [2026-05-10] Accepted vim 2:9.2.0461-1 (source) into unstable (James McCoy)
  • [2026-05-02] Accepted vim 2:9.2.0428-1 (source) into unstable (James McCoy)
  • [2026-04-22] vim 2:9.2.0355-1 MIGRATED to testing (Debian testing watch)
  • [2026-04-16] Accepted vim 2:9.2.0355-1 (source) into unstable (James McCoy)
  • [2026-04-12] Accepted vim 2:9.2.0338-1 (source) into unstable (James McCoy)
  • [2026-04-07] Accepted vim 2:9.2.0315-1 (source) into unstable (James McCoy)
  • [2026-03-26] vim 2:9.2.0218-1 MIGRATED to testing (Debian testing watch)
  • [2026-03-21] Accepted vim 2:9.2.0218-1 (source) into unstable (James McCoy)
  • [2026-03-11] Accepted vim 2:9.2.0136-1 (source) into unstable (James McCoy)
  • [2026-03-09] Accepted vim 2:9.2.0119-1 (source) into unstable (James McCoy)
  • [2026-02-20] vim 2:9.1.2141-1 MIGRATED to testing (Debian testing watch)
  • [2026-02-09] Accepted vim 2:9.1.2141-1 (source) into unstable (James McCoy)
  • [2026-01-25] vim 2:9.1.2103-1 MIGRATED to testing (Debian testing watch)
  • [2026-01-23] Accepted vim 2:9.1.2103-1 (source) into unstable (James McCoy)
  • [2025-11-11] vim 2:9.1.1882-1 MIGRATED to testing (Debian testing watch)
  • [2025-10-28] Accepted vim 2:9.1.1882-1 (source) into unstable (James McCoy)
  • [2025-10-10] Accepted vim 2:9.1.1846-1 (source) into unstable (James McCoy)
  • [2025-10-06] Accepted vim 2:9.1.1829-1 (source) into unstable (James McCoy)
  • [2025-09-24] Accepted vim 2:9.1.1766-1 (source) into experimental (James McCoy)
  • [2025-05-28] vim 2:9.1.1230-2 MIGRATED to testing (Debian testing watch)
  • [2025-05-23] Accepted vim 2:9.1.1230-2 (source) into unstable (James McCoy)
  • [2025-05-16] Accepted vim 2:9.1.1385-1 (source) into experimental (James McCoy)
  • [2025-03-30] Accepted vim 2:8.2.2434-3+deb11u3 (source) into oldstable-security (Sean Whitton)
  • [2025-03-30] Accepted vim 2:8.2.2434-3+deb11u2 (source) into oldstable-security (Sean Whitton)
  • [2025-03-27] vim 2:9.1.1230-1 MIGRATED to testing (Debian testing watch)
  • [2025-03-25] Accepted vim 2:9.1.1230-1 (source) into unstable (James McCoy)
  • 1
  • 2
bugs [bug history graph]
  • all: 108
  • RC: 0
  • I&N: 49
  • M&W: 55
  • F&P: 4
  • patch: 17
links
  • homepage
  • lintian (0, 11)
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • other distros
  • security tracker
  • screenshots
  • l10n (-, 100)
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 2:9.2.0461-1ubuntu1
  • patches for 2:9.2.0461-1ubuntu1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing