← Back to Cyber Intelligence News
Live Threat Intelligence API — Query this CVE and all KEV alerts in real-time
cyber.mcp.brunosan.de
Cyber Threat Intelligence VULNERABILITY

CVE-2026-59856 in Vim: Arbitrary Code Execution via PHP Omni-Completion — Patch Available, No Active Exploitation

📅 July 18, 2026 🔴 Exploit Risk: 0.003 📊 Intelligence Score: 32/100 📰 18 sources synthesized
TL;DR — Read this first
CVE-2026-59856 is a local arbitrary code execution vulnerability in Vim's PHP omni-completion feature, with a CVSS 4.0 score of 8.4 and a patch available on GitHub, but no observed active exploitation as of July 2026.
Intelligence Metadata
First Reported ByN/A
Outbreak VelocityN/A
ConsensusN/A
CVSS Score8.4
EPSS Score0.00169
CISA KEV StatusFalse
Exploit Risk Score0.0007
Decision StateWATCH
Recommended ActionWATCH
Decision Confidence0.9
What Would Change ThisKEV inclusion or authoritative active-exploitation evidence.

Technical Analysis

CVE-2026-59856 is a local arbitrary code execution vulnerability in Vim's PHP omni-completion feature. The flaw allows an attacker to craft a malicious PHP file that, when opened in Vim with omni-completion enabled, triggers execution of arbitrary code. The attack vector is local (AV:L), requires user interaction (UI:A), and no privileges (PR:N), but results in high impact on confidentiality, integrity, and availability (VC:H/VI:H/VA:H). The vulnerability stems from insufficient sanitization or unsafe handling of PHP code during the completion process. No technical discrepancies are noted across sources, as only a single advisory exists.

Affected Systems

Vendor: linuxfoundation, mistune project, nodeca, Perl, Python, Vim
Affected Versions:
  • linuxfoundation / nats-server
  • mistune project / mistune
  • nodeca / js-yaml
  • Perl / dbi
  • Python / setuptools
  • Vim / vim
Exposure: Customer exposure is unknown until inventory matching is performed.
Blast Radius: Not established by the current evidence contract.

Intelligence Context

The advisory was published on MSRC on July 11, 2026, with a patch and proof-of-concept code available on GitHub. The EPSS score of 0.00169 (6.5th percentile) indicates a very low probability of exploitation in the wild, and the vulnerability is not listed in CISA KEV. The CVSS 4.0 score of 8.4 reflects high impact but is tempered by the local attack vector and user interaction requirement. The existence of a PoC slightly elevates risk, but no active exploitation has been observed. Defenders should prioritize patching on developer workstations and servers where Vim is used to edit PHP code, but this is not an emergency.

Remediation & Defense

WATCH
Patch Status: Qualified patch evidence present
Patch Version: Not established by current evidence
Workarounds:
  • Qualified mitigation evidence is present; verify the cited source before action.

Source Timeline

Frequently Asked Questions

Is CVE-2026-59856 actively exploited in the wild?

CONFIRMED: No active exploitation has been observed. The vulnerability is not listed in CISA KEV, and EPSS score is 0.00169 (6.5th percentile), indicating low likelihood of exploitation.

Which products and versions are affected by CVE-2026-59856?

Vim versions prior to the patched release are affected. The exact version range is not specified in the advisory, but the patch is available on GitHub.

How can I detect exploitation of CVE-2026-59856?

Monitor for unexpected child processes spawned by Vim when opening PHP files. Log file access patterns for Vim opening PHP files from untrusted locations. No specific IOCs provided.

What are the CVSS and EPSS scores for CVE-2026-59856?

CVSS 4.0 score: 8.4 (High). EPSS score: 0.00169 (6.5th percentile), indicating a low probability of exploitation in the wild.

Is a patch available for CVE-2026-59856?

Yes, a patch is available on GitHub. The fixed version is not specified in the advisory, but the patch can be applied. Workarounds include disabling PHP omni-completion or avoiding untrusted PHP files.

CVE-2026-59856 CVE-2026-59928 Cyber Intelligence Perl Python WATCH linuxfoundation mistune project nodeca