Open a File, Own the Machine

Two critical remote code execution vulnerabilities have surfaced in tools that millions of developers use every day — Vim and GNU Emacs — and at least one of them remains completely unpatched.

The Vim bug, tracked as CVE-2026-34714 with a CVSS score of 9.2, lives in the editor's tabpanel feature. A missing security flag allows arbitrary expressions to be evaluated the moment a crafted file is opened, with no further interaction required from the victim. Attackers can deliver the malicious file through a code repository, email attachment, or shared drive, and execution happens silently with the full privileges of the user running Vim. The Vim team responded quickly and shipped a fix in version 9.2.0272 — if you haven't upgraded yet, do it now.

The GNU Emacs vulnerability is more architecturally subtle and, critically, still open. When Emacs opens a file inside a directory it recognizes as a Git repository, it triggers a Git status check that reads the local .git/config file. If that config defines a core.fsmonitor program, Git executes it automatically. An attacker only needs to deliver an archive containing a hidden .git/ directory with a malicious config — when the victim extracts it and opens any file in Emacs, the payload runs with no warning. The Emacs maintainers have declined to fix this, arguing it's Git's responsibility, leaving users exposed indefinitely.

Both vulnerabilities were discovered by security researchers at Calif using AI-assisted code analysis — found in minutes from a single casual prompt. That detail is itself the broader warning: the cost of finding zero-days has collapsed. Patch Vim immediately, manually disable vc-mode or set git config --global core.fsmonitor false if you use Emacs, and treat any file from an untrusted source as a potential attack vector.