CVE-2026-34714 (Vim tabpanel RCE)

• Entity ID: ent-20260419-a1b2c3d4e506
• Type: issue
• Scope: shared
• Status: active
• Aliases: Vim file-open RCE, tabpanel sidebar RCE

Description

CVSS 9.2 remote code execution in Vim discovered by Claude Code in ~2 minutes from a single-sentence prompt. Root cause: missing P_MLE and P_SECURE security checks on a tabpanel-sidebar option added in 2025, plus a missing security check in autocmd_add() that enables sandbox bypass. Claude Code autonomously refined the exploit — bypassing the Vim sandbox by delivering a crafted file — and produced a working PoC without further prompting. Patched in Vim v9.2.0272.

Key claims

• Claude Code discovered a Vim RCE zero-day in 2 minutes from a one-sentence prompt

Relations

• Hung Nguyen (Calif AI Red Teaming) --[caused]--> CVE-2026-34714 (Vim tabpanel RCE)
• Claude Code --[caused]--> CVE-2026-34714 (Vim tabpanel RCE)

Sources

src-20260409-f5e09e325670