Debian Package Tracker
Register | Log in
Subscribe

vim

Vi IMproved - enhanced vi editor

Choose email to subscribe with

general
  • source: vim (main)
  • version: 2:9.2.0524-1
  • maintainer: Debian Vim Maintainers (DMD)
  • uploaders: James McCoy [DMD]
  • arch: all any
  • std-ver: 4.7.4
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 2:8.2.2434-3+deb11u1
  • o-o-sec: 2:8.2.2434-3+deb11u3
  • oldstable: 2:9.0.1378-2+deb12u2
  • stable: 2:9.1.1230-2
  • testing: 2:9.2.0524-1
  • unstable: 2:9.2.0524-1
versioned links
  • 2:8.2.2434-3+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2:8.2.2434-3+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2:9.0.1378-2+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2:9.1.1230-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2:9.2.0524-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • vim (41 bugs: 0, 20, 21, 0)
  • vim-common (6 bugs: 0, 2, 4, 0)
  • vim-doc (1 bugs: 0, 0, 1, 0)
  • vim-gtk3 (3 bugs: 0, 1, 2, 0)
  • vim-gui-common
  • vim-motif
  • vim-nox (1 bugs: 0, 0, 1, 0)
  • vim-runtime (33 bugs: 0, 14, 19, 0)
  • vim-tiny (1 bugs: 0, 1, 0, 0)
  • xxd (3 bugs: 0, 0, 3, 0)
action needed
A new upstream version is available: 9.2.0780 high
A new upstream version 9.2.0780 is available, you should consider packaging it.
Created: 2026-05-14 Last update: 2026-07-06 18:31
30 security issues in trixie high

There are 30 open security issues in trixie.

25 important issues:
  • CVE-2026-28417: Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.
  • CVE-2026-28418: Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.
  • CVE-2026-28420: Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.
  • CVE-2026-28421: Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.
  • CVE-2026-33412: Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.
  • CVE-2026-34982: Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.
  • CVE-2026-35177: Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.
  • CVE-2026-39881: Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.
  • CVE-2026-41411: Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.
  • CVE-2026-42307: Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.
  • CVE-2026-43961:
  • CVE-2026-44656: Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.
  • CVE-2026-45130: Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.
  • CVE-2026-47162: Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.
  • CVE-2026-47167: Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.
  • CVE-2026-52858: Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.
  • CVE-2026-52860: Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.
  • CVE-2026-55693: Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.
  • CVE-2026-55892: Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.
  • CVE-2026-55895: Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.
  • CVE-2026-57451: Vim is an open source, command line text editor. Prior to 9.2.0670, get_text_props() in src/textprop.c reads a uint16 property count stored inline after a line's text and returns it as the number of 32-byte textprop_T entries that follow. The only check is a floor that guarantees room for a single entry; the count is never checked against the amount of data actually present. A line that declares a large count while carrying little data causes consumers to read far past the end of the line buffer. Such a line can be delivered through a crafted undo file, leading to a crash. This vulnerability is fixed in 9.2.0670.
  • CVE-2026-57452: Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.
  • CVE-2026-57453: Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.
  • CVE-2026-57455: Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.
  • CVE-2026-57456: Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.
5 issues left for the package maintainer to handle:
  • CVE-2025-53905: (needs triaging) Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.
  • CVE-2025-53906: (needs triaging) Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.
  • CVE-2026-25749: (needs triaging) Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
  • CVE-2026-26269: (needs triaging) Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.
  • CVE-2026-46483: (needs triaging) Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-07-16 Last update: 2026-06-26 10:00
11 security issues in sid high

There are 11 open security issues in sid.

11 important issues:
  • CVE-2026-52858: Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.
  • CVE-2026-52860: Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.
  • CVE-2026-55693: Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.
  • CVE-2026-55892: Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.
  • CVE-2026-55895: Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.
  • CVE-2026-57451: Vim is an open source, command line text editor. Prior to 9.2.0670, get_text_props() in src/textprop.c reads a uint16 property count stored inline after a line's text and returns it as the number of 32-byte textprop_T entries that follow. The only check is a floor that guarantees room for a single entry; the count is never checked against the amount of data actually present. A line that declares a large count while carrying little data causes consumers to read far past the end of the line buffer. Such a line can be delivered through a crafted undo file, leading to a crash. This vulnerability is fixed in 9.2.0670.
  • CVE-2026-57452: Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.
  • CVE-2026-57453: Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.
  • CVE-2026-57454: Vim is an open source, command line text editor. From 9.2.0320 until 9.2.0679, a crafted undo or swap file can store a virtual-text property whose offset and length point outside the line's property data. When Vim restores or displays such a line it converts the offset into a pointer and reads the virtual text without bounds checking, causing an out-of-bounds read that can crash Vim or disclose adjacent heap memory. This vulnerability is fixed in 9.2.0679.
  • CVE-2026-57455: Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.
  • CVE-2026-57456: Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.
Created: 2026-06-11 Last update: 2026-06-26 10:00
11 security issues in forky high

There are 11 open security issues in forky.

11 important issues:
  • CVE-2026-52858: Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.
  • CVE-2026-52860: Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.
  • CVE-2026-55693: Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.
  • CVE-2026-55892: Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.
  • CVE-2026-55895: Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.
  • CVE-2026-57451: Vim is an open source, command line text editor. Prior to 9.2.0670, get_text_props() in src/textprop.c reads a uint16 property count stored inline after a line's text and returns it as the number of 32-byte textprop_T entries that follow. The only check is a floor that guarantees room for a single entry; the count is never checked against the amount of data actually present. A line that declares a large count while carrying little data causes consumers to read far past the end of the line buffer. Such a line can be delivered through a crafted undo file, leading to a crash. This vulnerability is fixed in 9.2.0670.
  • CVE-2026-57452: Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.
  • CVE-2026-57453: Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.
  • CVE-2026-57454: Vim is an open source, command line text editor. From 9.2.0320 until 9.2.0679, a crafted undo or swap file can store a virtual-text property whose offset and length point outside the line's property data. When Vim restores or displays such a line it converts the offset into a pointer and reads the virtual text without bounds checking, causing an out-of-bounds read that can crash Vim or disclose adjacent heap memory. This vulnerability is fixed in 9.2.0679.
  • CVE-2026-57455: Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.
  • CVE-2026-57456: Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.
Created: 2026-06-11 Last update: 2026-06-26 10:00
30 security issues in bullseye high

There are 30 open security issues in bullseye.

26 important issues:
  • CVE-2026-28417: Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.
  • CVE-2026-28418: Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.
  • CVE-2026-28420: Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.
  • CVE-2026-28421: Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.
  • CVE-2026-33412: Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.
  • CVE-2026-34982: Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.
  • CVE-2026-35177: Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.
  • CVE-2026-39881: Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.
  • CVE-2026-41411: Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.
  • CVE-2026-42307: Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.
  • CVE-2026-43961:
  • CVE-2026-44656: Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.
  • CVE-2026-45130: Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.
  • CVE-2026-46483: Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.
  • CVE-2026-47162: Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.
  • CVE-2026-47167: Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.
  • CVE-2026-52858: Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.
  • CVE-2026-52860: Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.
  • CVE-2026-55693: Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.
  • CVE-2026-55892: Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.
  • CVE-2026-55895: Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.
  • CVE-2026-57451: Vim is an open source, command line text editor. Prior to 9.2.0670, get_text_props() in src/textprop.c reads a uint16 property count stored inline after a line's text and returns it as the number of 32-byte textprop_T entries that follow. The only check is a floor that guarantees room for a single entry; the count is never checked against the amount of data actually present. A line that declares a large count while carrying little data causes consumers to read far past the end of the line buffer. Such a line can be delivered through a crafted undo file, leading to a crash. This vulnerability is fixed in 9.2.0670.
  • CVE-2026-57452: Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.
  • CVE-2026-57453: Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.
  • CVE-2026-57455: Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.
  • CVE-2026-57456: Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.
4 issues postponed or untriaged:
  • CVE-2025-53905: (postponed; to be fixed through a stable update) Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.
  • CVE-2025-53906: (postponed; to be fixed through a stable update) Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.
  • CVE-2026-25749: (postponed; to be fixed through a stable update) Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
  • CVE-2026-26269: (postponed; to be fixed through a stable update) Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.
Created: 2026-02-28 Last update: 2026-06-26 10:00
31 security issues in bookworm high

There are 31 open security issues in bookworm.

25 important issues:
  • CVE-2026-28417: Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.
  • CVE-2026-28418: Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.
  • CVE-2026-28420: Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.
  • CVE-2026-28421: Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.
  • CVE-2026-33412: Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.
  • CVE-2026-34982: Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.
  • CVE-2026-35177: Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.
  • CVE-2026-39881: Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.
  • CVE-2026-41411: Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.
  • CVE-2026-42307: Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383.
  • CVE-2026-43961:
  • CVE-2026-44656: Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.
  • CVE-2026-45130: Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.
  • CVE-2026-47162: Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.
  • CVE-2026-47167: Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496.
  • CVE-2026-52858: Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561.
  • CVE-2026-52860: Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597.
  • CVE-2026-55693: Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.
  • CVE-2026-55892: Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.
  • CVE-2026-55895: Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.
  • CVE-2026-57451: Vim is an open source, command line text editor. Prior to 9.2.0670, get_text_props() in src/textprop.c reads a uint16 property count stored inline after a line's text and returns it as the number of 32-byte textprop_T entries that follow. The only check is a floor that guarantees room for a single entry; the count is never checked against the amount of data actually present. A line that declares a large count while carrying little data causes consumers to read far past the end of the line buffer. Such a line can be delivered through a crafted undo file, leading to a crash. This vulnerability is fixed in 9.2.0670.
  • CVE-2026-57452: Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.
  • CVE-2026-57453: Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.
  • CVE-2026-57455: Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.
  • CVE-2026-57456: Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.
6 issues left for the package maintainer to handle:
  • CVE-2025-29768: (needs triaging) Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to 9.1.1198. The impact is medium because a user must be made to view such an archive with Vim and then press 'x' on such a strange filename. The issue has been fixed as of Vim patch v9.1.1198.
  • CVE-2025-53905: (needs triaging) Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.
  • CVE-2025-53906: (needs triaging) Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.
  • CVE-2026-25749: (needs triaging) Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
  • CVE-2026-26269: (needs triaging) Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.
  • CVE-2026-46483: (needs triaging) Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-03-03 Last update: 2026-06-26 10:00
17 bugs tagged patch in the BTS normal
The BTS contains patches fixing 17 bugs, consider including or untagging them.
Created: 2026-06-02 Last update: 2026-07-06 22:47
Fails to build during reproducibility testing normal
A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!
Created: 2024-01-19 Last update: 2026-07-06 22:00
version in VCS is newer than in repository, is it time to upload? normal
vcswatch reports that this package seems to have a new changelog entry (version 2:9.2.0782-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:
commit d143d81ed7e4029876e6c5cb4f4c6fe7d4206237
Author: James McCoy <jamessan@debian.org>
Date:   Sat Jul 4 10:29:55 2026 -0400

    Start changelog for v9.2.0782
    
    Closes: #1139728
    Closes: #1139729
    Closes: #1139730
    Closes: #1140775
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 142d9acf912af8654bd854cae70c9d8123ea0627
Merge: b850129d3 834b8d218
Author: James McCoy <jamessan@debian.org>
Date:   Sat Jul 4 09:20:34 2026 -0400

    Merge tag 'v9.2.0782' into debian/sid
    
    v9.2.0782
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit b850129d3f91fa5c105800d4697e8cf6b945a38b
Author: James McCoy <jamessan@debian.org>
Date:   Sat May 23 22:35:31 2026 -0400

    release package vim version 2:9.2.0524-1
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit ee0166cd6bd608d025bae665c4642f692867fa89
Author: James McCoy <jamessan@debian.org>
Date:   Sat May 23 22:31:30 2026 -0400

    Remove obsolete --enable-sockerserver switch
    
    The functionality has changed and is always available when channels are
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit b6f1b9613b6c35b8ac484f6c19b3e24172616338
Author: James McCoy <jamessan@debian.org>
Date:   Sat May 23 21:01:04 2026 -0400

    Disable gtk4 configure check until new UI stabilizes
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 651753743227b2d955a66256c8016ddfc487d031
Author: James McCoy <jamessan@debian.org>
Date:   Sat May 23 21:00:35 2026 -0400

    Start changelog for v9.2.0524
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 48bb2bb53769dd861526e5cc3294ae60b9fcea73
Merge: 8cbc77e95 9a920e825
Author: James McCoy <jamessan@debian.org>
Date:   Sat May 23 20:58:26 2026 -0400

    Merge tag 'v9.2.0524' into debian/sid
    
    v9.2.0524

commit 8cbc77e957106160cfc9c46215cee1db54c3fe6b
Author: James McCoy <jamessan@debian.org>
Date:   Sat May 9 19:41:47 2026 -0400

    release package vim version 2:9.2.0461-1
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit e3fc7d5e56b1d773ad1819a89a4dd3c23302ca2f
Author: James McCoy <jamessan@debian.org>
Date:   Sat May 9 16:45:07 2026 -0400

    Update changelog for 9.2.0461
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 060d57f64709906a8266c8465f7de1accebdea43
Merge: 503107706 4f610f07b
Author: James McCoy <jamessan@debian.org>
Date:   Sat May 9 16:31:44 2026 -0400

    Merge tag 'v9.2.0461' into debian/sid
    
    v9.2.0461

commit 4f610f07b76b4f34d011179c2531ab4517ac11e8
Author: Christian Brabandt <cb@256bit.org>
Date:   Sat May 9 14:41:37 2026 +0000

    patch 9.2.0461: Corrupted undofile causes use-after-free
    
    Problem:  The four pointer-resolution loops in u_read_undo() lack
              an i != j guard, so a header whose uh_next.seq equals
              its own uh_seq resolves uh_next.ptr to itself.  On
              buffer close, u_freeheader() sees uhp->uh_next.ptr !=
              NULL and skips updating b_u_oldhead, so u_blockfree()
              dereferences the freed header on the next iteration.
              The same pattern applies to uh_prev, uh_alt_next and
              uh_alt_prev.  A crafted .un~ file in the same directory
              as a text file can trigger the use-after-free and
              subsequent double-free when the buffer is closed.
              (Daniel Cervera)
    Solution: Add an i != j guard to each of the four resolution
              loops, matching the guard already present in the
              duplicate-detection loop above.
    
    closes: #20168
    
    Supported by AI
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit abd74fa122451882b3b4e7b83813cf3b17e8109a
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Sat May 9 14:18:53 2026 +0000

    patch 9.2.0460: did_set_shellpipe_redir() in wrong file
    
    Problem:  did_set_shellpipe_redir() is a callback for a string option,
              but is not in optionstr.c (after 9.2.0458).
    Solution: Move it to optionstr.c. Also add missing change from patch
              9.2.0455 (zeertzjq).
    
    related: #20159
    related: #20164
    closes:  #20170
    
    Signed-off-by: zeertzjq <zeertzjq@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 124f8bececb1a50e85965d12ccd52c6c25a73122
Author: Christian Brabandt <cb@256bit.org>
Date:   Sat May 9 14:13:52 2026 +0000

    patch 9.2.0459: tests: test_termcodes fails (after v9.2.0456)
    
    Problem:  tests: test_termcodes fails, because it disabled DECRQM, but
              did not adjust the expected values in the test (after v9.2.0456)
    Solution: Update the test
    
    related: #20161
    closes:  #20173
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit fbec828c7e3144aad2c9b9a207773ad0a4a46b9a
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Sat May 9 13:49:43 2026 +0000

    CI: Bump the github-actions group across 1 directory with 2 updates
    
    Bumps the github-actions group with 2 updates in the / directory: [github/codeql-action](https://github.com/github/codeql-action) and [actions/labeler](https://github.com/actions/labeler).
    
    Updates `github/codeql-action` from 4.35.2 to 4.35.3
    - [Release notes](https://github.com/github/codeql-action/releases)
    - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
    - [Commits](https://github.com/github/codeql-action/compare/v4.35.2...v4.35.3)
    
    Updates `actions/labeler` from 6 to 6.0.1
    - [Release notes](https://github.com/actions/labeler/releases)
    - [Commits](https://github.com/actions/labeler/compare/v6...v6.0.1)
    
    ---
    updated-dependencies:
    - dependency-name: github/codeql-action
      dependency-version: 4.35.3
      dependency-type: direct:production
      update-type: version-update:semver-patch
      dependency-group: github-actions
    - dependency-name: actions/labeler
      dependency-version: 6.0.1
      dependency-type: direct:production
      update-type: version-update:semver-patch
      dependency-group: github-actions
    ...
    
    closes: #20171
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 84ae09dd79b9888ba71dc2a28f9afcac3e7b8901
Author: Christian Brabandt <cb@256bit.org>
Date:   Fri May 8 21:29:21 2026 +0000

    patch 9.2.0458: Crash with invalid shellredir/shellpipe value
    
    Problem:  Crash with invalid shellredir/shellpipe value
              (bfredl)
    Solution: Validate the option and allow only a single "%s".
    
    fixes:  #20157
    closes: #20159
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 2f00656b3480ed5384ce0513402025de9643462c
Author: Christian Brabandt <cb@256bit.org>
Date:   Fri May 8 21:22:28 2026 +0000

    patch 9.2.0457: Compile warning about unused variable
    
    Problem:  Compile warning about unused variable
              (Tony Mechelynck, after v9.2.0452)
    Solution: Initialize the variable
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 7644d9d6114d0b17bfaebb069dd68ae0d7d907fb
Author: Foxe Chen <chen.foxe@gmail.com>
Date:   Fri May 8 21:14:52 2026 +0000

    patch 9.2.0456: stray p character displayed on some terms
    
    Problem:  stray p character displayed on some terms
    Solution: Make sending DECRQM more strict and disable it for a few more
              terminals (Foxe Chen)
    
    fixes:  #20156
    fixes:  #20140
    closes: #20161
    
    Signed-off-by: Foxe Chen <chen.foxe@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 9694ff58fe510bf3906a7b6817429e29d5975987
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Fri May 8 21:09:48 2026 +0000

    patch 9.2.0455: 'findfunc' only allows extra info for cmdline completion
    
    Problem:  'findfunc' only allows extra info for cmdline completion, not
              for actually finding files (Maxim Kim, after 9.2.0451).
    Solution: Handle returning a list of dicts when actually finding files.
              Also fix crash on NULL string (zeertzjq).
    
    fixes:  #20163
    closes: #20164
    
    Signed-off-by: zeertzjq <zeertzjq@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit b207b5a2a38dd8f45417e69c2e659c4c05ad3c1e
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Fri May 8 21:06:08 2026 +0000

    patch 9.2.0454: tests: no test that "abbr" in customlist completion is shown
    
    Problem:  No test that "abbr" in customlist completion is shown in pum.
    Solution: Add some "abbr" fields to the existing test (zeertzjq).
    
    closes: #20165
    
    Signed-off-by: zeertzjq <zeertzjq@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit c895390e58fb080f94dcc1c60757a3d697698515
Author: Hirohito Higashi <h.east.727@gmail.com>
Date:   Fri May 8 20:57:34 2026 +0000

    patch 9.2.0453: vertical separator of statusline blend into active statusline
    
    Problem:  Since v9.2.0349, the vertical separator cell at status line
              rows is drawn as a space with StatusLine highlight, hiding the
              user's 'fillchars' "vert" or "stl"/"stlnc" character at that
              cell (after v9.2.0349)
    Solution: Drop the status line blend.  At status line rows the separator
              cell goes back to using the status fillchar when adjacent
              status lines are connected, or the vsep character otherwise.
              (Same as before v9.2.0348)
    
    Keep the VertSplitNC highlight group introduced in v9.2.0349.  The
    highlight (VertSplit vs VertSplitNC) is selected based on whether the
    current window is adjacent to the separator at the row.
    
    Vertical separators are redrawn on current-window changes and on
    :redrawstatus[!] so the VertSplit/VertSplitNC highlight is updated
    immediately.
    
    fixes:   #20089
    related: #19951
    closes:  #20167
    
    Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
    Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit b9871cef1073dfbcb74b73d9b939b374d6bd50e5
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Thu May 7 19:40:16 2026 +0000

    patch 9.2.0452: screen.c popup opacity blend logic is duplicated
    
    Problem:  screen_line() has four near-identical blocks computing
              the popup_attr, the combined attr, the blend value and
              the underlying base attr in sequence when handling popups
              with opacity.  The duplication makes the function long
              and hard to follow, and changes have to be applied to all
              four sites.
    Solution: Extract the shared computation into popup_blend_with_base()
              and popup_base_attr_or() helpers, and cache per-popup
              attrs once via popup_opacity_T.  No behavior change
              (Yasuhiro Matsumoto).
    
    closes: #20154
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 58124789aaf98fd96cd94a738633fd652a5e079a
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Thu May 7 19:29:06 2026 +0000

    patch 9.2.0451: 'findfunc' can't return extra info for cmdline completion
    
    Problem:  'findfunc' can't return extra info for cmdline completion
              (Maxim Kim).
    Solution: Handle 'findfunc' return value in cmdline completion like that
              of "customlist" functions (zeertzjq).
    
    fixes:  #20155
    closes: #20158
    
    Signed-off-by: zeertzjq <zeertzjq@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 92993329178cb1f72d700fff45ca86e1c2d369f8
Author: Christian Brabandt <cb@256bit.org>
Date:   Wed May 6 20:50:00 2026 +0200

    patch 9.2.0450: [security]: heap buffer overflow in spellfile.c read_compound()
    
    Problem:  read_compound() in spellfile.c computes the size of the regex
              pattern buffer using signed-int arithmetic on the attacker
              controlled SN_COMPOUND sectionlen.  With sectionlen=0x40000008
              and UTF-8 encoding active the multiplication wraps to 27 while
              the per-byte loop writes up to ~1B bytes, overflowing the heap.
              Reachable when loading a crafted .spl file (e.g. via 'set spell'
              after a modeline sets 'spelllang').  The cp/ap/crp allocations
              have the same int + 1 overflow class (Daniel Cervera)
    Solution: Use type size_t as buffer size and reject values larger than
              COMPOUND_MAX_LEN (100000).  Apply the same size_t treatment to
              the cp/ap/crp allocations.
    
    Github Advisory:
    https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv
    
    Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 4cbdef8e30cd5da5d3a0941ab88bf082b0b1e164
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Wed May 6 18:24:51 2026 +0000

    runtime(vim9): Check cmd.exe on WSL is executable
    
    closes: #20150
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 0ab4316fced588dd8d5aba1284c0ada14aa8eb7a
Author: Christian Brabandt <cb@256bit.org>
Date:   Wed May 6 18:17:00 2026 +0000

    patch 9.2.0449: Make proto fails in non GTK builds
    
    Problem:  Make proto fails when not building the GTK gui
    Solution: Test for $GLIB_COMPILE_RESOURCES as done elsewhere
    
    closes: #20145
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 4bcc8ba93d4d7b6b216dc6a0365e21676b70c715
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Wed May 6 18:02:09 2026 +0000

    patch 9.2.0448: Vim9: dangling cmdline pointer after skip_expr_cctx()
    
    Problem:  Vim9: dangling cmdline pointer after skip_expr_cctx()
              (Foxe Chen)
    Solution: Extract the cmdline restoration logic from compile_lambda into
              a helper restore_cmdline_arg() and call it from
              skip_expr_cctx() too, so a skipped lambda inside an "else"
              branch does not leave "*arg" pointing into freed evalarg
              memory (Yasuhiro Matsumoto).
    
    fixes:  #20147
    closes: #20148
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit c06002f3cb07c374bfc1a1310cf13ee1914e86da
Author: magnus-rattlehead <magnus-rattlehead@users.noreply.github.com>
Date:   Tue May 5 20:35:32 2026 +0000

    patch 9.2.0447: cindent does not ignore comments
    
    Problem:  When find_start_brace() scans backwards for the enclosing
              block, '{' and '}' inside // and /* */ comments are counted,
              producing wrong indent for code following such comments
              (rendcrx).
    Solution: Implement FM_SKIPCOMM in findmatchlimit() to track block-
              comment state and skip matches inside comments. Pass
              FM_SKIPCOMM from cindent's call sites
              (find_start_brace, find_match_char, cin_iswhileofdo,
              get_c_indent).
    
    fixes:  #4
    fixes:  #648
    fixes:  #19578
    closes: #19581
    closes: #20111
    
    Signed-off-by: magnus-rattlehead <guranjakustivi@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 7ccc273a4cb6012e5afbdb94d0f2597bc01fe2fd
Author: J. Paulo Seibt <jpseibt@gmail.com>
Date:   Tue May 5 20:06:15 2026 +0000

    patch 9.2.0446: runtime(netrw): off-by-one bug in s:NetrwUnMarkFile()
    
    Problem:  off-by-one bug in s:NetrwUnMarkFile()
    Solution: Correctly loop through all buffers to unlet all variables
              (J. Paulo Seibt)
    
    When the function loops through buffers to clear s:netrwmarkfilelist_#
    and s:netrwmarkfilemtch_#, it skips the last one at bufnr('$'), messing
    up mark highlights and causing other functions that operate on those
    arrays (like delete or rename) to target stale marked files.
    
    The bufnr() help page says that bufnr("$") returns the highest buffer
    number of existing buffers, so while ibuf < bufnr("$") does not clear
    the last buffer-local arrays.
    
    To reproduce:
    
    Just opening a fresh Vim and running :Ex opens a netrw buffer at the
    highest number. Then, typing mu after marking some files triggers the
    mark highlight bug, and finally typing D would act like calling the
    delete function against the previous marked files, as the buffer-local
    arrays where not touched by s:NetrwUnMarkFile.
    
    closes: #20129
    
    Signed-off-by: J. Paulo Seibt <jpseibt@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 40fc78f0a185f003844334e7c9dd217d6d993143
Author: Jesse Rosenstock <jmr@google.com>
Date:   Tue May 5 19:50:46 2026 +0000

    patch 9.2.0445: win_fix_scroll() called before win_comp_pos() in command_height()
    
    Problem:  win_fix_scroll(true) is called before win_comp_pos() in
              command_height().
    Solution: Move win_fix_scroll(true) after win_comp_pos(), matching the
              ordering used in win_drag_status_line() (Jesse Rosenstock).
    
    Patch 9.2.0413 added win_fix_scroll(true) to command_height() to handle
    splitkeep when cmdheight changes, but placed the call before win_comp_pos().
    win_fix_scroll() reads w_winrow to detect window movement
    (https://github.com/vim/vim/blob/620557bd48865fa3d927901764d2747bf68597b5/src/window.c#L7266),
    but w_winrow is not recomputed until win_comp_pos() runs
    (https://github.com/vim/vim/blob/620557bd48865fa3d927901764d2747bf68597b5/src/window.c#L6516).
    This causes incorrect scroll adjustments and was breaking
    Test_smoothscroll_incsearch on macOS CI.
    
    closes: #20138
    
    Co-authored-by: Gemini
    Signed-off-by: Jesse Rosenstock <jmr@google.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 88fb739918a0d2ca4277e1e79b4fd5799e9b0128
Author: Christian Brabandt <cb@256bit.org>
Date:   Tue May 5 19:47:19 2026 +0000

    patch 9.2.0444: Cannot set 'path' option via modeline
    
    Problem:  Cannot set 'path' option via modeline (zeertzjq, after v9.2.0435)
    Solution: Revert the part that disallows setting 'path' via modeline.
    
    closes: #20137
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit cf947e7ef09fc8a63f447b54b107585b8f3b7abe
Author: Hirohito Higashi <h.east.727@gmail.com>
Date:   Tue May 5 19:02:59 2026 +0000

    patch 9.2.0443: GUI: cancelling save dialog overwrites or discards unnamed buffer
    
    Problem:  When closing gvim with an unsaved unnamed buffer, choosing
              "Yes" in the "Save changes?" dialog and then "Cancel" in the
              file selection dialog either silently writes the buffer to a
              file named "Untitled" (overwriting any existing file with
              that name) or discards the buffer altogether
              (vibs29, after v9.1.0265).
    Solution: In dialog_changed(), if browse_save_fname() leaves the buffer
              without a file name, treat it as a cancel and return without
              saving.  Also stop clearing the modified flag in the restore
              path on write failure, so the unsaved changes are kept and
              the caller (e.g. gui_shell_closed()) can also cancel the
              close.  Pre-fill the file dialog with "Untitled" to match
              the preceding "Save changes to ..." prompt.  Add a test for
              the write-failure path (Hirohito Higashi).
    
    fixes:  #20132
    closes: #20143
    
    Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 2bfddbea47e1afa79ecd094040418abdba88bc83
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Tue May 5 18:56:56 2026 +0000

    patch 9.2.0442: completion: i_CTRL-X_CTRL-V doesn't use dict from customlist
    
    Problem:  Completion with i_CTRL-X_CTRL-V doesn't use dict from cmdline
              "customlist" completion.
    Solution: Include abbr/kind/menu/info in the completion items
              (zeertzjq).
    
    closes: #20139
    
    Signed-off-by: zeertzjq <zeertzjq@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 1903020b82eb49c26c8f83ad29f7f2d1d317a81e
Author: Arnaud Rebillout <elboulangero@gmail.com>
Date:   Mon May 4 20:31:51 2026 +0000

    runtime(autopkgtest): update syntax script
    
    Fix some typos, and move a deprecated keyword where it belongs
    
    closes: #20141
    
    Signed-off-by: Arnaud Rebillout <arnaudr@debian.org>
    Signed-off-by: James McCoy <jamessan@jamessan.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit b10159bcc22aa1c976234a6b2677f11438bef953
Author: mityu <mityu.mail@gmail.com>
Date:   Mon May 4 20:24:07 2026 +0000

    Fix wrong comment in getchar.c
    
    The comment for `do_key_input_pre()` function says that it handles the
    InsertCharPre autocommand, but what the function actually handles is the
    KeyInputPre autocommand.
    
    closes: #20142
    
    Signed-off-by: mityu <mityu.mail@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 8c7d824b73ff939890f13c3792e45833a651a840
Author: Hirohito Higashi <h.east.727@gmail.com>
Date:   Mon May 4 20:03:46 2026 +0000

    patch 9.2.0441: statusline: click handler not called on multi-line statusline
    
    Problem:  With a multi-line statusline clicking on a "%[FuncName]...%[]"
              or "%@FuncName@..." region defined on a row other than the
              last drawn row does not invoke the handler (Christian
              Robinson, after v9.2.0338)
    Solution: In win_redr_custom() the click region table reflects only the
              last iteration of the per-row draw loop, so click regions are
              recorded only for the last row.  Move the click-region
              resolution inside the loop and append regions for each row
              using vim_realloc().  This also fixes a leak of
              clicktab[].funcname for non-last rows (Hirohito Higashi).
    
    fixes:  #20116
    closes: #20120
    
    Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
    Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 0c998003bc6ae20e10a6a7362edf52da2eb12019
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Mon May 4 19:58:27 2026 +0000

    patch 9.2.0440: MS-Windows: cursor flicker during update_screen()
    
    Problem:  MS-Windows: cursor flicker during update_screen()
    Solution: Hide the cursor during update_screen() to avoid Windows ConPTY
              flicker (Yasuhiro Matsumoto).
    
    On terminals that do not honor synchronized output mode (e.g. Windows
    ConPTY), update_screen() emits cell positioning and content as multiple
    Win32 console writes through mch_write(), which the terminal renders as
    separate frames.  This shows up as the cursor briefly jumping to column
    1 of rows being redrawn, especially during async redraws around the
    popup completion menu.
    
    Disable the cursor with cursor_off() at the start of update_screen()
    and restore it with cursor_on() at the end, but only when synchronized
    output mode is not active.  When it is, the redraw is already atomic
    from the terminal's view and hiding the cursor would only add visible
    blink with no benefit.
    
    closes: #20121
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 3bfffcc29054faff2dbec2d765317ee09e9ef827
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Mon May 4 19:53:10 2026 +0000

    patch 9.2.0439: completion: info popup not removed in cmdline mode
    
    Problem:  Info popup isn't removed when selecting an item that doesn't
              have "info" in cmdline completion, which is inconsistent with
              Insert mode behavior.
    Solution: Set pum_call_update_screen in cmdline mode (zeertzjq).
    
    closes: #20128
    
    Signed-off-by: zeertzjq <zeertzjq@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 20a124a6e0e2445c500ccc7c496a8fe5d334aed8
Author: Jesse Rosenstock <jmr@google.com>
Date:   Mon May 4 19:22:25 2026 +0000

    patch 9.2.0438: tests: test_plugin_termdebug is flaky
    
    Problem:  Test_termdebug_tbreak(), Test_termdebug_basic(), and
              Test_termdebug_toggle_break() use synchronous assert_equal()
              to check breakpoint signs immediately after sending commands
              to gdb.  On slow CI (ASAN, ARM64, macOS) gdb may not have
              processed the response yet, causing the sign to be missing.
    Solution: Wrap the three assertions in WaitForAssert() to poll until
              the signs are placed, matching the pattern already used by
              the other assertions in the same tests (Jesse Rosenstock).
    
    closes: #20133
    
    Co-authored-by: Gemini
    Signed-off-by: Jesse Rosenstock <jmr@google.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit bb807ebc8a7a6ad3f3d330cf19ce775cb40a2811
Author: Hirohito Higashi <h.east.727@gmail.com>
Date:   Mon May 4 19:17:52 2026 +0000

    runtime(doc): Tweak documentation style
    
    closes: #20134
    
    Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit cb0b4cf45c627263c844348a0ec6388dcfef9fcb
Author: Felipe Matarazzo <felipemps@protonmail.com>
Date:   Mon May 4 19:10:37 2026 +0000

    Fix a few more typos
    
    closes: #20135
    
    Signed-off-by: Felipe Matarazzo <felipemps@protonmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 9d3019104c37bad56ff5bdc7614b26cb3fea7ce4
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Sun May 3 18:37:05 2026 +0000

    patch 9.2.0437: MS-Windows: cursor flicker in vtp mode
    
    Problem:  MS-Windows: cursor flicker in vtp mode
    Solution: Skip mch_update_cursor() in cursor_visible() when vtp is
              active (Yasuhiro Matsumoto).
    
    In vtp (ConPTY) mode the cursor visibility is controlled by DECTCEM
    (\033[?25h / \033[?25l).  The follow-up call to mch_update_cursor() then
    re-emits DECSCUSR (\033[0 q etc.) on every visibility toggle even though
    the cursor shape did not change.  Some terminals briefly redisplay the
    cursor when DECSCUSR arrives, so this can cause a visible flash at the
    position the cursor will be moved to next (e.g. column 0 ahead of a line
    redraw).
    
    In non-vtp mode the call is still required because SetConsoleCursorInfo()
    inside mch_set_cursor_shape() reads s_cursor_visible to apply the
    visibility change, so keep that path unchanged.
    
    closes: #20122
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 77677c33dec485aadd371da75cce55d449b51798
Author: Christian Brabandt <cb@256bit.org>
Date:   Sun May 3 18:32:11 2026 +0000

    patch 9.2.0436: Buffer overflow when parsing overlong errorformat lines
    
    Problem:  When an error line in a file passed to :cfile / :cgetfile is
              longer than IOSIZE, qf_parse_file_pfx() copies the tail
              into the fixed-size IObuff with STRMOVE(), overflowing the heap buffer.
              The same code path can also loop indefinitely because
              qf_parse_file_pfx() always returns QF_MULTISCAN when a
              tail is present, and qf_init_ext() unconditionally goes
              to "restofline" without bounding the tail length (Nabih).
    Solution: Remove the STRMOVE() into IObuff.  In the QF_MULTISCAN
              branch, alias linebuf into the tail directly and update
              linelen, requiring strict progress (new length less than
              the previous length) before retrying; otherwise ignore
              the line.
    
    closes: #20126
    
    Supported by AI
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0
Author: Christian Brabandt <cb@256bit.org>
Date:   Sun May 3 16:10:03 2026 +0000

    patch 9.2.0435: [security]: backticks in 'path' may cause shell execution on completion
    
    Problem:  [security]: Backticks enclosed shell commands in the 'path'
              option value are executed during completion (q1uf3ng).
    Solution: Skip path entries containing backticks, add P_SECURE to 'path'
              option, so that it cannot be set from a modeline (for symmetry with
              the 'cdpath' option)
    
    Github Advisory:
    https://github.com/vim/vim/security/advisories/GHSA-hwg5-3cxw-wvvg
    
    Supported by AI.
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit fde5a56ecbf9101314ddcc572533e147a9fb11ff
Author: Christian Brabandt <cb@256bit.org>
Date:   Sun May 3 17:47:50 2026 +0000

    patch 9.2.0434: cscope: filename interpreted by /bin/sh
    
    Problem:  cs_create_connection() builds the cscope command by
              interpolating csinfo[i].fname (and ppath, flags) into a
              string and lets the shell parse it.  Shell metacharacters
              in a database filename are therefore evaluated by /bin/sh
              before cscope is exec'd, rather than being passed through as a
              literal path (q1uf3ng)
    Solution: Build argv directly and execvp() the cscope binary
              without an intervening shell.
    
    closes: #20119
    
    Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 5c700152ae23c91b6edef3fa3e7ba06d40be0f9e
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Sat May 2 16:04:38 2026 +0000

    patch 9.2.0433: customlist completion cannot supply pum metadata
    
    Problem:  customlist completion cannot supply pum metadata
    Solution: Allow each item returned by a customlist function to be
              either a string or a Dict with keys "word", "abbr", "kind",
              "menu" and "info" (Yasuhiro Matsumoto).
    
    closes: #20100
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 3bd25c63b4eda363683c06b0dcc58e74f563d3f2
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Sat May 2 15:49:17 2026 +0000

    patch 9.2.0432: blob to string conversion can be improved
    
    Problem:  blob to string conversion can be improved
    Solution: Compute the output size up front and use a single alloc plus
              mch_memmove() (Yasuhiro Matsumoto).
    
    Replace per-byte ga_append/snprintf loops with bulk allocation and
    mch_memmove in three hot paths: blob2string() (used by string()),
    string_from_blob(), and the UTF-16/UCS path of f_blob2str(). For a
    16 MiB blob, string(blob) is ~28x faster and blob2str() is ~2x faster.
    
    Benchmark (16 MiB blob, 5 iterations, total seconds):
    
    | | Before | After | Speedup |
    |---|---:|---:|---:|
    | `string(blob)` | 6.422 | 0.225 | 28.5x |
    | `blob2str(b)` | 0.504 | 0.265 | 1.90x |
    | `blob2str(b, {encoding: 'utf-8'})` | 0.507 | 0.282 | 1.80x |
    | `blob2str(b, {encoding: 'utf-16le'})` | 0.407 | 0.202 | 2.01x |
    
    closes: #20112
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit e1e92fea92ed80dd10ff0cb325433a97c1826b6a
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Sat May 2 15:39:55 2026 +0000

    patch 9.2.0431: blob encoding can be improved
    
    Problem:  blob encoding can be improved
    Solution: Speed up blob encoding by avoiding per-byte ga_append()
              (Yasuhiro Matsumoto)
    
    Replace the per-byte ga_append loop in the VAR_BLOB branch of
    json_encode_item() with a single ga_grow for the worst case
    (2 + 4 * blen) and direct writes through a local pointer. Also
    read blob bytes through a local char_u* instead of going through
    blob_get() for each byte.
    
    Benchmark (1 MiB blob, 5 iterations, total seconds, median of 3 runs):
    
    | byte distribution | Before | After | Speedup |
    |---|---:|---:|---:|
    | 1-digit (0–9)     | 0.0254 | 0.0174 | 1.46x |
    | 2-digit (10–99)   | 0.0344 | 0.0064 | 5.38x |
    | 3-digit (100–255) | 0.0539 | 0.0102 | 5.28x |
    | mixed (0–255)     | 0.0335 | 0.0093 | 3.60x |
    
    closes: #20113
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 2219c890136f4c809ca4fa64d357ae46442bfa92
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Sat May 2 15:20:18 2026 +0000

    patch 9.2.0430: tests: Test_shortmess_F3() is flaky on MS-Windows
    
    Problem:  tests: Test_shortmess_F3() is flaky on MS-Windows
    Solution: Increase the sleep to 3s (Yasuhiro Matsumoto)
    
    On MS-Windows time_differs() treats mtime as unchanged unless st_mtime
    differs by more than 1 second, so a 2-second sleep can fall short when
    the two writes straddle a second boundary. Bump the non-nanotime sleep
    to 3 seconds.
    
    closes: #20117
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 503107706dc699a52c3b399e67b1d163c600bc02
Author: James McCoy <jamessan@debian.org>
Date:   Sat May 2 10:40:28 2026 -0400

    release package vim version 2:9.2.0428-1
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit e25933014c1c7cc4fb40a6ed429b80fdb37ba28e
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Sat May 2 13:29:01 2026 +0000

    patch 9.2.0429: tests: flaky screendump Test_smoothscroll_incsearch()
    
    Problem:  tests: flaky screendump Test_smoothscroll_incsearch()
    Solution: Replace screendump test by WaitForAssert()
              (Yasuhiro Matsumoto)
    
    VerifyScreenDump fails consistently on the macos-15-intel CI runner.
    Replace the dump comparisons with assertions that verify the actual
    invariant under test: that the visible buffer view stays unchanged
    across the four incremental-search keystrokes (i.e. skipcol is not
    reset). Drop the now-unused dump files.
    
    closes: #20118
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 5007b15639fb465ead585ff986e772498a4bde40
Author: James McCoy <jamessan@debian.org>
Date:   Fri May 1 20:44:15 2026 -0400

    Bump changelog to 9.2.0428
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit c772f6af820a72f78ea3dd018c059ce3ae72885a
Merge: 9cbb64573 59e59a62b
Author: James McCoy <jamessan@debian.org>
Date:   Fri May 1 20:43:28 2026 -0400

    Merge tag 'v9.2.0428' into debian/sid
    
    v9.2.0428

commit e4413c5df76d353251be53edfbd7718ff18dc36b
Author: Doug Kearns <dougkearns@gmail.com>
Date:   Fri May 1 16:35:57 2026 +0000

    runtime(algol68): Update syntax file, match symbolic identity relators
    
    closes: #20109
    
    Signed-off-by: Doug Kearns <dougkearns@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 59e59a62b417c6cee7384718120a9378ee347064
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Fri May 1 16:28:51 2026 +0000

    patch 9.2.0428: popup: no opacity support for completepopup/previewpopup
    
    Problem:  popup: no opacity support for completepopup/previewpopup
    Solution: Add support opacity: suboption for the 'completeopt'.
    
    Accepts opacity:0-100 with the same semantics as popup_create()'s
    opacity option, allowing the info / preview popup to blend with
    the background.
    
    closes: #20099
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 7b218ae98c0f9a26ade91f0950e5c43d3c3c5b2b
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Fri May 1 16:10:21 2026 +0000

    patch 9.2.0427: popup: opacity blend may leaks white bg color
    
    Problem:  popup: opacity blend may leaks white bg color
    Solution: Add cterm color blending for 256 color terminals, use
              COLOR_INVALID() macro to check for invalid color
              (Yasuhiro Matsumoto)
    
    When a textprop highlight only set gui=undercurl/guisp (no fg/bg), the
    CTERMCOLOR sentinel was treated by hl_blend_attr() as a real near-white
    color, leaking white bg onto textprop-covered cells under an opacity
    popup or pum.  Add a cterm color blending path that approximates blends
    in the xterm 256-color palette using the gui RGB when available, so
    opacity now has a visible effect even without 'termguicolors' (in
    256-color terminals).  Below 256 colors the blend is skipped.
    
    Also document the requirement (GUI, 'termguicolors', or 256-color
    terminal) and update existing pumopt/popupwin opacity screendumps to
    reflect the new blended output.
    
    closes: #20095
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit cf5d7102b9624f1bf230b6efad22f9bd0b39bd53
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Fri May 1 16:01:03 2026 +0000

    patch 9.2.0426: tests: still some flaky screendump tests
    
    Problem:  tests: still some flaky screendump tests
              (James McCoy)
    Solution: Replace flaky VerifyScreenDump checks with assert_* assertions
              for Test_visual_block_scroll and Test_scrolloffpad_with_folds,
              and remove the now-unused dump files, mark those tests as
              flaky (which happened previously for screendump tests
              automatically) (Yasuhiro Matsumoto).
    
    fixes:   #20096
    related: #20095
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit d25f8d1b2c6e0cbd390a36884c95edc88f1b3d69
Author: Shougo Matsushita <Shougo.Matsu@gmail.com>
Date:   Fri May 1 14:54:56 2026 +0000

    patch 9.2.0425: Cannot silence undo/redo messages
    
    Problem:  Cannot silence undo/redo messages
    Solution: Add "u" flag to 'shortmess' option
              (Shougo Matsushita).
    
    fixes:  #20049
    closes: #20107
    
    Signed-off-by: Shougo Matsushita <Shougo.Matsu@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit ec8b8bd82a905f0faf1a73bf57381597f0e25654
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Fri May 1 13:29:01 2026 +0000

    patch 9.2.0424: popup: flicker when wildtrigger() refreshes the popup menu
    
    Problem:  popup: flicker when wildtrigger() refreshes the popup menu
    Solution: Wrap the pum teardown and cmdline redraw in synchronized
              terminal output (Yasuhiro Matsumoto).
    
    Reduces flicker when wildtrigger() refreshes the popup on every
    keystroke and the cmdline is wrapped: the un-scroll inside
    update_screen() and the re-scroll inside redrawcmd() are emitted as
    one atomic terminal update.
    
    closes: #20081
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 587447ec64ffd9e6eaba329ffd9d778159ea6e32
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Fri May 1 13:25:31 2026 +0000

    patch 9.2.0423: popup: wrapped cmdline truncated with wildoptions=pum
    
    Problem:  popup: wrapped cmdline truncated with wildoptions=pum
    Solution: Call msg_starthere() in redrawcmd() to reset lines_left
              before each redraw (Yasuhiro Matsumoto).
    
    redrawcmd() leaves lines_left at its previous value, which decrements
    across successive redraws (e.g. when wildtrigger() refreshes the popup
    on every keystroke) until 0, after which msg_no_more aborts drawing
    the wrapped cmdline. Call msg_starthere() to reset it.
    
    related: #20081
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit ba85f88fe95db2daf3ea2542042af9e65308e2b8
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Fri May 1 13:12:11 2026 +0000

    patch 9.2.0422: popup: leave stray char when scrollbar changes
    
    Problem:  popup: leave stray char when scrollbar changes
              (Maxim Kim, after v9.2.0112)
    Solution: refresh popup mask when scrollbar visibility changes
              (Yasuhiro Matsumoto)
    
    popup_adjust_position() set popup_mask_refresh only on geometry
    changes, missing the case where w_has_scrollbar flips. After
    popup_settext() shrinks the buffer enough that the scrollbar
    disappears, the cell that held the old border / scrollbar was
    never repainted, leaving stray characters.
    
    fixes:  #20092
    closes: #20098
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 7f3243e3a8285badb0b2e34458cecaa9bfaadf49
Author: Ivan Pešić <27575106+eevan78@users.noreply.github.com>
Date:   Thu Apr 30 18:06:46 2026 +0000

    translation(sr): Update of Serbian translation
    
    closes: #20105
    
    Signed-off-by: Ivan Pešić <27575106+eevan78@users.noreply.github.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 7da90de1cb6df8f2dcbab97d3c7b8b83fa0de13d
Author: Léana 江 <leana.jiang+git@icloud.com>
Date:   Thu Apr 30 18:00:28 2026 +0000

    runtime(cabal): add missing haskell language editions
    
    closes: #20097
    
    Signed-off-by: Léana 江 <leana.jiang+git@icloud.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit f793e98068a3de540caf539ff0ecb35f06aa2a08
Author: Hirohito Higashi <h.east.727@gmail.com>
Date:   Wed Apr 29 21:44:12 2026 +0000

    runtime(doc): clarify separator cell on status line rows
    
    - Expand hl-VertSplit / hl-VertSplitNC in syntax.txt to spell out which
      character (space vs 'fillchars' "vert") and which highlight group
      (StatusLine / StatusLineNC / VertSplit / VertSplitNC) are used at the
      separator cell on each kind of screen row.
    - Add cross references from hl-StatusLine and hl-StatusLineNC to
      hl-VertSplit / hl-VertSplitNC.
    
    The behavior itself is unchanged — see v9.2.0349 (c72196529) — but the
    asymmetry reported in #20089 surprised users, so this aims to make the
    spec discoverable from the highlight group docs.
    
    closes: #20101
    
    Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 620557bd48865fa3d927901764d2747bf68597b5
Author: Christian Brabandt <cb@256bit.org>
Date:   Wed Apr 29 21:22:48 2026 +0000

    runtime(doc): Update help tags file
    
    forgotten from Commit e7e35b9e3866abcbb33e
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit e7e35b9e3866abcbb33eec789c85636671c86440
Author: Christian Brabandt <cb@256bit.org>
Date:   Wed Apr 29 21:17:11 2026 +0000

    runtime(doc): clarify that viminfo file should be trusted
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 77499e009af677720e747debebedb78d12a77cb6
Author: Christian Brabandt <cb@256bit.org>
Date:   Wed Apr 29 20:36:14 2026 +0000

    patch 9.2.0421: vimball: can smuggle Vimscript into VimballRecord file
    
    Problem:  vimball: can smuggle Vimscript into VimballRecord file
              (Mayank Jangid and Kushal Khemka)
    Solution: Disallow strange file names
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 3ac7b974391c40ba61c7abec8c02ea3bacf818a4
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Wed Apr 29 19:48:05 2026 +0000

    patch 9.2.0420: channel: cannot handle binary data via channel callbacks
    
    Problem:  channel: cannot handle binary data via channel callbacks
    Solution: Add a blob channel mode that passes callback data as a Blob
              (Yasuhiro Matsumoto).
    
    closes: #20084
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit bd8716178e4f410ba5b0a0c2bcffa5cc860a2137
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Wed Apr 29 19:23:47 2026 +0000

    patch 9.2.0419: popup: rendering issues
    
    Problem:  popup: rendering issues
    Solution: Fix popup bottom edge overflow, stabilize popup width across
              scrolling, fix popup right edge overflow
              (Yasuhiro Matsumoto)
    
    closes: #20042
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 20e98ff1cc3ffc13d42579d2bf9b9567f98595a2
Author: glepnir <glephunter@gmail.com>
Date:   Wed Apr 29 19:10:43 2026 +0000

    patch 9.2.0418: wildcards in expanded env vars reinterpreted by glob
    
    Problem:  With $d='[dir]', `:e $d/file.txt` opens the wrong file,
              `:e $d/<Tab>` fails to complete, and `glob('$d/*')` returns
              nothing. Wildcard characters inside expanded environment
              variables get picked up by globbing again.
    Solution: Turn the 4th parameter of expand_env_esc() from a bool into a
              string of characters to escape in each expanded value. Callers
              that pass the result to wildcard expansion should include
              PATH_ESC_WILDCARDS in addition to " \t" (glepnir).
    
    closes: #20053
    
    Signed-off-by: glepnir <glephunter@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit af494af5ff188d976073cbc049249614edffa4bf
Author: glepnir <glephunter@gmail.com>
Date:   Wed Apr 29 18:35:55 2026 +0000

    patch 9.2.0417: completion: no support for "noinsert" with 'wildmode'
    
    Problem:  completion: no support for "noinsert" with 'wildmode' and
              commandline completion
    Solution: Add "noinsert" value to the 'wildmode' option, mirroring
              'completeopt' "noinsert" behaviour (glepnir).
    
    fixes:  #16551
    closes: #20080
    
    Signed-off-by: glepnir <glephunter@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit c2bda0add96a18328299e9fe6d75925049a5146a
Author: Maxim Kim <habamax@gmail.com>
Date:   Wed Apr 29 17:14:11 2026 +0000

    patch 9.2.0416: Unix: filename completion splits at space for single-file Ex commands
    
    Problem:  SPACE_IN_FILENAME is defined on most platforms but not on Unix.
              As a result, set_context_for_wildcard_arg() on Unix always resets the
              completion pattern at white space for Ex commands that take a
              single file argument.
    Solution: Drop the SPACE_IN_FILENAME ifdef (Maxim Kim)
    
    fixes:  #18411
    closes: #20090
    
    Signed-off-by: Maxim Kim <habamax@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 6453a7c440648f938a9bde83213ffcf3903f44be
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Wed Apr 29 16:10:04 2026 +0000

    patch 9.2.0415: Wrong behavior when executing register that ends in Insert mode
    
    Problem:  Wrong behavior when executing register that ends in Insert
              mode from Ctrl-O (Emilien Breton)
    Solution: Use :startinsert etc. to restore Insert mode after executing
              the register contents (zeertzjq).
    
    fixes:  #20085
    closes: #20091
    
    Signed-off-by: zeertzjq <zeertzjq@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 458fed4f65668b0c6d97b46669bb3aceb8b6422f
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Wed Apr 29 15:58:42 2026 +0000

    patch 9.2.0414: Flicker when drawing window separator and pum is shown
    
    Problem:  In a vertical split where the pum overlaps the windows vsep column,
              background draws (vsep at cursor row, status line,
              redraw_vseps, idle ins_redraw) can write into cells that are
              covered by the pum, because skip_for_popup() only protects
              those cells while pum_will_redraw is set.
    Solution: In skip_for_popup(), also skip cells under a visible pum when
              the current draw is not the pum itself (screen_zindex
              POPUPMENU_ZINDEX).  Exclude the wildmenu pum (MODE_CMDLINE):
              while the cmdline grows, pum_row is briefly stale and
              protecting those cells would blank a cell of the wrapped
              cmdline row (Yasuhiro Matsumoto).
    
    closes: #20093
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 9cbb645731e6456140d34dbbeb1d42a6745eef15
Author: James McCoy <jamessan@debian.org>
Date:   Wed Apr 29 11:00:52 2026 -0400

    Remove xdg-shell.xml and primary-selection-unstable-v1.xml entries from d/copyright
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit 5b79de609151af7a2033cb754a7306dc24f0c63a
Author: James McCoy <jamessan@debian.org>
Date:   Wed Apr 29 09:04:12 2026 -0400

    Start changelog for 9.2.0413
    
    Signed-off-by: James McCoy <jamessan@debian.org>

commit a14fe7c199e679385670b6ddb175654b1a6404bf
Merge: 067a592e8 bd0f3e6da
Author: James McCoy <jamessan@debian.org>
Date:   Wed Apr 29 08:54:11 2026 -0400

    Merge tag 'v9.2.0413' into debian/sid
    
    v9.2.0413

commit c5de8231f436d47ca5daf4f4d5d91c55632f52ce
Author: ii14 <ii14@users.noreply.github.com>
Date:   Tue Apr 28 21:20:41 2026 +0000

    runtime(qml): Add optional chaining to QML syntax
    
    "obj?.prop" was wrongly parsed as ternary operator.
    
    closes: #19988
    
    Signed-off-by: ii14 <ii14@users.noreply.github.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit bd0f3e6da5df70ab2250264d0a7efc7db83c3dc8
Author: Luuk van Baal <luukvbaal@gmail.com>
Date:   Tue Apr 28 21:09:45 2026 +0000

    patch 9.2.0413: Scrolling wrong with 'splitkeep' when changing 'cmdheight'
    
    Problem:  Cursor is not adjusted when 'cmdheight' is changed to cover
              the cursor with 'splitkeep' ~= "cursor".
    Solution: Handle window resize for 'splitkeep' after changing 'cmdheight'.
              Ensure previous window height is set when changing 'splitkeep'
              (Luuk van Baal).
    
    closes: #20043
    
    Signed-off-by: Luuk van Baal <luukvbaal@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 41c3379bdf944dcee7f64b8e95094c03e2dce968
Author: Hirohito Higashi <h.east.727@gmail.com>
Date:   Tue Apr 28 21:03:12 2026 +0000

    patch 9.2.0412: channel: term_start() out_cb/err_cb no longer deliver raw chunks
    
    Problem:  channel: term_start() out_cb/err_cb no longer deliver raw
              chunks (regression from patch 9.2.0224, breaks callers like
              vim-fugitive that parse multi-line output)
              (D. Ben Knoble, after v9.2.0224)
    Solution: Remove the PTY-specific per-line splitting in
              may_invoke_callback() so RAW callbacks again receive the
              raw chunk as returned by read(), preserving embedded NL.
              If per-line handling is desired, the callback must split
              "msg" on NL and strip the trailing CR itself; document
              this behavior in term_start().  Replace
              Test_term_start_cb_per_line() with
              Test_term_start_cb_raw_chunk() to verify the raw-chunk
              contract.
    
    fixes:  #20041
    closes: #20045
    
    Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
    Co-Authored-By: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit e7745b7cbf8fa4433083d2565af72e9ffca5026d
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Tue Apr 28 20:25:30 2026 +0000

    patch 9.2.0411: tabpanel: no Vim script functions for the tabpanel
    
    Problem:  tabpanel: no Vim script functions for the tabpanel
    Solution: Add tabpanel_getinfo() and tabpanel_scroll()
              (Yasuhiro Matsumoto).
    
    tabpanel_getinfo() returns a dict describing the tabpanel (align,
    columns, scrollbar, offset, total, max_offset).
    
    tabpanel_scroll(n) scrolls the tabpanel by n rows (positive for
    down, negative for up). With {absolute: 1} the argument is used as
    the new absolute offset instead of a delta. The offset is clamped to
    the valid range; returns true when it actually changes.
    
    closes: #20056
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 6146f3382fcf295bdf7bdfab071e36a6410d14ca
Author: Jesse Rosenstock <jmr@google.com>
Date:   Tue Apr 28 19:23:41 2026 +0000

    patch 9.2.0410: test suite races when run with parallel make
    
    Problem:  Running "make test" with -jN causes spurious failures because
              the old-style tests share filenames (test.ok, test.out, X*,
              viminfo) in the working directory.
    Solution: Add .NOTPARALLEL to the testdir Makefile to prevent parallel
              execution of tests (Jesse Rosenstock).
    
    closes: #20082
    
    Co-authored-by: Gemini
    Signed-off-by: Jesse Rosenstock <jmr@google.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 30b42407302e8d5a7d16551ce105648cde8000c5
Author: Hirohito Higashi <h.east.727@gmail.com>
Date:   Tue Apr 28 19:19:53 2026 +0000

    runtime(doc): Update docs related to tabpanel
    
    closes: #20083
    
    Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 6cb4173294d0a9612bf105f1c8e492f47a56a568
Author: glepnir <glephunter@gmail.com>
Date:   Tue Apr 28 19:14:22 2026 +0000

    patch 9.2.0409: memory leaks in copy_substring_from_pos()
    
    Problem:  Memory leak in error path of copy_substring_from_pos().
    Solution: Free the garray on OOM in copy_substring_from_pos()
              (glepnir).
    
    closes: #20086
    
    Signed-off-by: glepnir <glephunter@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit e47daed4423182968f64b80c3d7613f0a98a50d4
Author: Jaehwang Jung <tomtomjhj@gmail.com>
Date:   Tue Apr 28 19:04:39 2026 +0000

    patch 9.2.0408: Insert-mode <Cmd> edits can corrupt undo
    
    Problem:  A <Cmd> command in Insert mode can edit the current buffer,
              e.g., with setline(). That edit appends to the current undo
              block, but Insert mode does not know that the cursor line may
              need to be saved again before the next typed edit. If the next
              typed edit is a <BS> at the start of a line, it can join away
              the line that was changed by the <Cmd> command before Insert
              mode saves that updated line. The newest undo entry can then
              still refer to the joined-away line, so undo sees a range past
              the end of the buffer and fails with E438.
    Solution: If a <Cmd> command in Insert mode changes the buffer, set
              ins_need_undo so stop_arrow() refreshes Insstart. This lets
              the next edit properly decide whether a new undo entry is
              needed (Jaehwang Jung)
    
    closes: #20087
    AI-assisted: Codex
    
    Signed-off-by: Jaehwang Jung <tomtomjhj@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 2d43240659868e91e7c371017793091082bfda74
Author: Hirohito Higashi <h.east.727@gmail.com>
Date:   Mon Apr 27 21:14:46 2026 +0000

    patch 9.2.0407: tabpanel: A few issues with the tabpanel
    
    Problem:  Several issues around the tabpanel scrollbar:
              1. :set tabpanelopt= completion did not offer "scroll" and
                  "scrollbar".
              2. gt/gT and other tab switches did not update the scrollbar
                  thumb; the current tab could move outside the visible
                  panel range without the view following.
              3. When tpl_scroll_offset was at its maximum, the thumb's
                  bottom did not reach the last screen row due to integer
                  truncation in thumb_top (e.g. 31 tabs on 24 rows + :tablast
                  left a one-row gap).
              4. For align:right the scrollbar was drawn on the panel's
                  left edge (adjacent to the buffer area), which breaks the
                  common convention that a vertical scrollbar sits on the
                  right.
    Solution: - Add "scroll" and "scrollbar" to the 'tabpanelopt' expansion
                list.  Cover the completion in test_options.vim and extend
                util/gen_opt_test.vim with the new valid/invalid values;
                drop the now-redundant acceptance test from
                test_tabpanel.vim.
              - In draw_tabpanel(), remember the last-drawn curtab and,
                when it changes, adjust tpl_scroll_offset so curtab_row
                falls inside [offset, offset + Rows).  Mouse wheel and
                drag leave curtab unchanged, so the user's chosen offset
                is preserved.
              - In draw_tabpanel_scrollbar(), compute thumb_top as
                (Rows - thumb_height) * tpl_scroll_offset
                / (tpl_total_rows - Rows), mirroring the mapping already
                used by tabpanel_drag_scrollbar().  This guarantees the
                thumb's bottom reaches the last row at the maximum offset.
              - In draw_tabpanel(), place the scrollbar at the tabpanel's
                right edge for both align:left and align:right (previously
                align:right put it on the panel's left edge next to the
                vertical separator).  For align:right this means the
                scrollbar now sits at the screen's right edge.
              - Update :h tabpanel-scroll to describe the new, align-
                independent placement.
              - Add Test_tabpanel_scrollbar_follows_curtab() and
                Test_tabpanel_scrollbar_reaches_bottom() to exercise the
                regressions fixed by items 2 and 3.
    
    closes: #20052
    
    Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
    Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 7e765148964b4758e7c45bbb781a476178e3aaa1
Author: Shane Harper <shane@shaneharper.net>
Date:   Mon Apr 27 19:55:03 2026 +0000

    patch 9.2.0406: VisualNOS not used when Wayland selection ownership lost
    
    Problem:  VisualNOS not used when Wayland selection ownership lost
              (lilydjwg)
    Solution: Don't require X_DISPLAY != NULL to use VisualNOS
              (Shane Harper).
    
    fixes:   #19914
    related: #19812
    related: #19659
    closes:  #20066
    
    Signed-off-by: Shane Harper <shane@shaneharper.net>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit ae196b2d589562fbb3fcd64cd0cc33f052c6cf56
Author: Christian Brabandt <cb@256bit.org>
Date:   Mon Apr 27 18:40:07 2026 +0000

    patch 9.2.0405: when jumping to tags, will open URLs
    
    Problem:  when jumping to tags, will open URLs
              (Srinivas Piskala Ganesh Babu)
    Solution: Disallow trying to open remote files.
    
    closes: #20068
    
    Supported by AI
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 3958188f6aace8f828a36f8886e99c6a64fedcf1
Author: Christian Brabandt <cb@256bit.org>
Date:   Mon Apr 27 18:29:33 2026 +0000

    patch 9.2.0404: redraw_listener_add() does not check secure flag
    
    Problem:  redraw_listener_add() does not check secure flag
    Solution: Check for check_secure() in f_redraw_listener_add()
    
    closes: #20070
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit f1a9449206b019f6443915c4d56ee0cc51492a87
Author: Christian Brabandt <cb@256bit.org>
Date:   Mon Apr 27 18:14:49 2026 +0000

    patch 9.2.0403: Vim9: def function sandbox bypass
    
    Problem:  Vim9: def function sandbox bypass
              (Srinivas Piskala Ganesh Babu)
    Solution: Check for sandbox flag in call_user_func() and call_dfunc()
              when executing Vim9 script functions
    
    closes: #20071
    
    Supported by AI
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 7070a85d94faf90fa3c959ad73b5f9db1b947ee9
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Mon Apr 27 18:05:12 2026 +0000

    patch 9.2.0402: pum: opacity not applied to wildmenu pum
    
    Problem:  pum: opacity not applied to wildmenu pum
    Solution: Call pum_call_update_screen() in cmdline_pum_display() when
              opacity is set, fix flicker by checking against expected row
              (Yasuhiro Matsumoto).
    
    closes: #20072
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 0bc64b19a2e14a51c5a5ee162d7047c53fc30f9c
Author: Christian Brabandt <cb@256bit.org>
Date:   Mon Apr 27 17:41:45 2026 +0000

    patch 9.2.0401: tests: still a few flaky tests
    
    Problem:  tests: still a few flaky tests
    Solution: Add WaitForAssert to test_messages.vim, use a smaller terminal
              window for test_tabpanel, add TermWait() in test_messages
              to handle DECQRM messages.
    
    closes: #20074
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit dd9b31fb62c0003be6cfd18847982b26efc73d34
Author: Barrett Ruth <br.barrettruth@gmail.com>
Date:   Mon Apr 27 17:18:17 2026 +0000

    patch 9.2.0400: sandbox callbacks selected through 'complete'
    
    Problem:  Modeline-tainted 'complete' values can invoke completion
              callbacks outside the sandbox.
    Solution: Enter the sandbox for both 'complete' callback phases and add
              a regression test (Barrett Ruth)
    
    closes: #20078
    
    Signed-off-by: Barrett Ruth <br.barrettruth@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit a622dda91597f379bcbddb2e4370ef1ea61fbc47
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Mon Apr 27 17:10:25 2026 +0000

    patch 9.2.0399: MS-Windows: compile warning in strptime.c
    
    Problem:  MS-Windows: compile warning in strptime.c
              (John Marriott, after v9.2.0398)
    Solution: Fix the compile warning (Yasuhiro Matsumoto).
    
    Use _get_tzname() instead of the deprecated tzname[] global on UCRT and
    MSVC builds; older MinGW (msvcrt.dll) keeps using tzname[] as a
    fallback.
    
    related: #20054
    closes:  #20079
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 96be27309c89dcf1a5e48b364cfba57ed126ec96
Author: Christian Brabandt <cb@256bit.org>
Date:   Mon Apr 27 17:06:47 2026 +0000

    runtime(doc): fix :z command description again
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 036e40e6d80b1d71e57d3715ae20175ce09d7b78
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Sun Apr 26 16:58:30 2026 +0000

    patch 9.2.0398: MS-Windows: missing strptime() support
    
    Problem:  MS-Windows: missing strptime() support
    Solution: Port NetBSD's strptime fallback to Vim
              (Yasuhiro Matsumoto).
    
    The MSVC and MinGW C runtimes do not provide strptime(), so the
    strptime() builtin was unavailable on Windows.  Port NetBSD's
    lib/libc/time/strptime.c (rev 1.67) and compile it into the Windows
    builds.  The BSD 2-clause notice from the original is preserved in the
    file.  Windows-specific adjustments: English-only locale tables, the
    fromzone()/tzalloc() path is stubbed out (no IANA tzfile loader on
    Windows), and tm_gmtoff / tm_zone stores are elided.
    
    Also call tzset() before mktime() in f_strptime() so changes to \$TZ
    are honored.
    
    Skip the POSIX DST TZ assertion in Test_strptime() on MS-Windows since
    the CRT tzset() does not parse POSIX TZ strings with DST rules.
    
    closes: #20054
    
    Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 22aedc4a902812a2a53b713dbe3c82b77f2f167d
Author: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date:   Sun Apr 26 16:47:08 2026 +0000

    patch 9.2.0397: tabpanel: double-click opens a new tab
    
    Problem:  tabpanel: double-click opens a new tab page
    Solution: Do not create a new tab page when using a double click
              (Yasuhiro Matsumoto).
    
    The tabpanel click handler inherited the tabline behavior where a
    double-click opens a new, empty tab page.  Unlike the tabline, the
    tabpanel has no "empty area": every row maps to some tab, so this
    fires on any double-click in the tabpanel and can generate stray
    empty tabs.  The behavior is also not documented for the tabpanel.
    
    Skip the new-tab branch when the click originated in the tabpanel
    and fall through to the regular tab-switch path instead.  The
    tabline behavior is unchanged.
    
    closes: #20044
    
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 076366bd4e8b89e722efc72a1b62d5b3d2ba62e0
Author: Doug Kearns <dougkearns@gmail.com>
Date:   Sun Apr 26 14:52:21 2026 +0000

    runtime(javascript): Fix regex highlighting after `(`
    
    - Fix regex highlighting after opening parens, javascriptParens was
      matching later.  Fixes issue #20069.
    - Add missing regex flags.
    - Mark the file as unmaintained.  Thanks Claudio for all your work.
    
    closes: #20076
    
    Signed-off-by: Doug Kearns <dougkearns@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit c23bfd7922dc20d83c96203d9f8840d0673245cf
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Sun Apr 26 14:36:23 2026 +0000

    runtime(help): fix wrong check for existing HelpComplete function
    
    To check for an existing HelpComplete function, exists('*HelpComplete')
    should be used, as exists('HelpComplete') still returns 0 after sourcing
    the ftplugin.
    
    closes: #20073
    
    Signed-off-by: zeertzjq <zeertzjq@outlook.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 3cc7d5071619f30bba2ae4ccfa992dccb8fd5e51
Author: Doug Kearns <dougkearns@gmail.com>
Date:   Sun Apr 26 14:31:55 2026 +0000

    runtime(algol68): Add new syntax file, ftplugin and filetype detection
    
    - Add a syntax file update to Neville Dempsey's long-serving version
    - Add a new rudimentary ftplugin
    - Add filetype detection
    
    Changes to the syntax file include:
    - improved prelude, number and symbol highlighting
    - prelude highlighting tests
    - updated boiler plate
    
    Note that these runtime files currently target Algol 68 Genie employing
    the default UPPER stropping regime.  Support for GNU Algol 68 should
    also be usable with the UPPER stropping regime, although somewhat less
    complete.  Full support for the SUPPER stropping regime in GNU Algol 68
    is also planned.
    
    closes: #19818
    
    Co-authored-by: Doug Kearns <dougkearns@gmail.com>
    Signed-off-by: Doug Kearns <dougkearns@gmail.com>
    Signed-off-by: Janis Papanagnou <janis_papanagnou@hotmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>

commit 1ce03d674a5a91f62769a6dcc2f9b8f249b90761
Author: Doug Kearns <dougkearns@gmail.com>
Date:   Sun Apr 26 14:26:19 2026 +0000

    runtime(dockerfile): Update syntax, fix RUN command highlighting
    
    Allow for docker comments to be interspersed in a multiline (continued)
    RUN command argument.
    
    fixes:  #8364
    closes: #19829
    
    Signed-off-by: Doug Kearns <dougkearns@gmail.com>
    Signed-off-by: Christian Brabandt <cb@256bit.org>
Created: 2026-07-04 Last update: 2026-07-04 16:02
lintian reports 11 warnings normal
Lintian reports 11 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2026-05-10 Last update: 2026-05-10 17:01
AppStream hints: 2 warnings normal
AppStream found metadata issues for packages:
  • vim-common: 1 warning
  • vim-gui-common: 1 warning
You should get rid of them to provide more metadata about this software.
Created: 2020-06-01 Last update: 2020-06-01 01:13
debian/patches: 3 patches to forward upstream low

Among the 3 debian patches available in version 2:9.2.0524-1 of the package, we noticed the following issues:

  • 3 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2023-02-26 Last update: 2026-05-24 16:00
Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2020-02-26 Last update: 2023-09-13 08:27
testing migrations
  • This package will soon be part of the auto-perl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
  • This package will soon be part of the perl-5.42 transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
news
[rss feed]
  • [2026-05-29] vim 2:9.2.0524-1 MIGRATED to testing (Debian testing watch)
  • [2026-05-24] Accepted vim 2:9.2.0524-1 (source) into unstable (James McCoy)
  • [2026-05-14] vim 2:9.2.0461-1 MIGRATED to testing (Debian testing watch)
  • [2026-05-10] Accepted vim 2:9.2.0461-1 (source) into unstable (James McCoy)
  • [2026-05-02] Accepted vim 2:9.2.0428-1 (source) into unstable (James McCoy)
  • [2026-04-22] vim 2:9.2.0355-1 MIGRATED to testing (Debian testing watch)
  • [2026-04-16] Accepted vim 2:9.2.0355-1 (source) into unstable (James McCoy)
  • [2026-04-12] Accepted vim 2:9.2.0338-1 (source) into unstable (James McCoy)
  • [2026-04-07] Accepted vim 2:9.2.0315-1 (source) into unstable (James McCoy)
  • [2026-03-26] vim 2:9.2.0218-1 MIGRATED to testing (Debian testing watch)
  • [2026-03-21] Accepted vim 2:9.2.0218-1 (source) into unstable (James McCoy)
  • [2026-03-11] Accepted vim 2:9.2.0136-1 (source) into unstable (James McCoy)
  • [2026-03-09] Accepted vim 2:9.2.0119-1 (source) into unstable (James McCoy)
  • [2026-02-20] vim 2:9.1.2141-1 MIGRATED to testing (Debian testing watch)
  • [2026-02-09] Accepted vim 2:9.1.2141-1 (source) into unstable (James McCoy)
  • [2026-01-25] vim 2:9.1.2103-1 MIGRATED to testing (Debian testing watch)
  • [2026-01-23] Accepted vim 2:9.1.2103-1 (source) into unstable (James McCoy)
  • [2025-11-11] vim 2:9.1.1882-1 MIGRATED to testing (Debian testing watch)
  • [2025-10-28] Accepted vim 2:9.1.1882-1 (source) into unstable (James McCoy)
  • [2025-10-10] Accepted vim 2:9.1.1846-1 (source) into unstable (James McCoy)
  • [2025-10-06] Accepted vim 2:9.1.1829-1 (source) into unstable (James McCoy)
  • [2025-09-24] Accepted vim 2:9.1.1766-1 (source) into experimental (James McCoy)
  • [2025-05-28] vim 2:9.1.1230-2 MIGRATED to testing (Debian testing watch)
  • [2025-05-23] Accepted vim 2:9.1.1230-2 (source) into unstable (James McCoy)
  • [2025-05-16] Accepted vim 2:9.1.1385-1 (source) into experimental (James McCoy)
  • [2025-03-30] Accepted vim 2:8.2.2434-3+deb11u3 (source) into oldstable-security (Sean Whitton)
  • [2025-03-30] Accepted vim 2:8.2.2434-3+deb11u2 (source) into oldstable-security (Sean Whitton)
  • [2025-03-27] vim 2:9.1.1230-1 MIGRATED to testing (Debian testing watch)
  • [2025-03-25] Accepted vim 2:9.1.1230-1 (source) into unstable (James McCoy)
  • [2025-02-18] vim 2:9.1.1113-1 MIGRATED to testing (Debian testing watch)
  • 1
  • 2
bugs [bug history graph]
  • all: 108
  • RC: 0
  • I&N: 49
  • M&W: 55
  • F&P: 4
  • patch: 17
links
  • homepage
  • lintian (0, 11)
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • other distros
  • security tracker
  • screenshots
  • l10n (-, 100)
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 2:9.2.0461-1ubuntu1
  • patches for 2:9.2.0461-1ubuntu1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing