VULNERABILITY
CVE-2026-59856 is a local arbitrary code execution vulnerability in Vim's PHP omni-completion feature, with a CVSS 4.0 score of 8.4 and a patch available on GitHub, but no observed active exploitation as of July 2026.
CVE-2026-59856 is a local arbitrary code execution vulnerability in Vim's PHP omni-completion feature. The flaw allows an attacker to craft a malicious PHP file that, when opened in Vim with omni-completion enabled, triggers execution of arbitrary code. The attack vector is local (AV:L), requires user interaction (UI:A), and no privileges (PR:N), but results in high impact on confidentiality, integrity, and availability (VC:H/VI:H/VA:H). The vulnerability stems from insufficient sanitization or unsafe handling of PHP code during the completion process. No technical discrepancies are noted across sources, as only a single advisory exists.
The advisory was published on MSRC on July 11, 2026, with a patch and proof-of-concept code available on GitHub. The EPSS score of 0.00169 (6.5th percentile) indicates a very low probability of exploitation in the wild, and the vulnerability is not listed in CISA KEV. The CVSS 4.0 score of 8.4 reflects high impact but is tempered by the local attack vector and user interaction requirement. The existence of a PoC slightly elevates risk, but no active exploitation has been observed. Defenders should prioritize patching on developer workstations and servers where Vim is used to edit PHP code, but this is not an emergency.
CONFIRMED: No active exploitation has been observed. The vulnerability is not listed in CISA KEV, and EPSS score is 0.00169 (6.5th percentile), indicating low likelihood of exploitation.
Vim versions prior to the patched release are affected. The exact version range is not specified in the advisory, but the patch is available on GitHub.
Monitor for unexpected child processes spawned by Vim when opening PHP files. Log file access patterns for Vim opening PHP files from untrusted locations. No specific IOCs provided.
CVSS 4.0 score: 8.4 (High). EPSS score: 0.00169 (6.5th percentile), indicating a low probability of exploitation in the wild.
Yes, a patch is available on GitHub. The fixed version is not specified in the advisory, but the patch can be applied. Workarounds include disabling PHP omni-completion or avoiding untrusted PHP files.