A vulnerability chain in Vim enables arbitrary OS command execution via a specially crafted file. The tabpanel option lacks the P_MLE flag, which allows a modeline to inject a %{expr} string even when modelineexpr is disabled. While the expression is initially evaluated within a sandbox, the autocmd_add() function fails to call check_secure(). This oversight allows sandboxed code to register an autocommand that triggers after the sandbox environment has been exited, resulting in a full sandbox escape.
CVE Link
Exploit Platform
Exploit Type
Product Name