Human
Machine
REPRO-2026-00124 HIGH RCE
Verified
Vim modeline handling for the tabpanel option allows sandbox escape via autocmd_add, enabling OS command execution when opening a crafted file.
Vim (github) Apr 1, 2026
What's the vulnerability?
Vim modeline handling for the tabpanel option allows sandbox escape via autocmd_add, enabling OS command execution when opening a crafted file.
Root Cause Analysis
Variant Analysis
Bypass and alternate trigger exploration (if present).
One Command
Verify with pruva-verify
Run the Pruva CLI to automatically fetch and execute the reproduction script.
pruva-verify REPRO-2026-00124 or
pruva-verify GHSA-2GMJ-RPQF-PXVH or
pruva-verify CVE-2026-34714 Install:
curl -fsSL https://pruva.dev/install.sh | sh Or Run Manually
1
Download the script
curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00124/artifacts/repro/reproduction_steps.sh 2
Make executable
chmod +x reproduction_steps.sh 3
Run the script
./reproduction_steps.sh Run in a VM, container, or disposable environment. This exploits a real vulnerability.
How Pruva Reproduced This
Watch the AI agent's step-by-step process.
Loading session...
Artifacts
repro/rca_report.md4.8 KBrepro/reproduction_steps.sh3.9 KBvuln_variant/rca_report.md5.8 KBvuln_variant/reproduction_steps.sh7.2 KBbundle/AGENTS.repro.md0.5 KBbundle/ticket.json4.1 KBbundle/ticket.md3.6 KBrepro/bang_test.txt0.1 KBrepro/bang_test2.txt0.1 KBrepro/base64_test.txt0.1 KBrepro/base64_test2.txt0.1 KBrepro/debug_poc.txt0.2 KBrepro/dict_test.txt0.0 KBrepro/dict_test2.txt0.1 KBrepro/escape_brace.txt0.1 KBrepro/escape_colon.txt0.1 KBrepro/escape_test.txt0.1 KBrepro/execute_test.txt0.1 KBrepro/execute_test2.txt0.1 KBrepro/expr_poc.txt0.1 KBrepro/expr_test.txt0.1 KBrepro/final_poc.txt0.1 KBrepro/fn_test.txt0.1 KBrepro/fn_test2.txt0.1 KBrepro/len_test.txt0.0 KBrepro/length_test.txt0.1 KBrepro/length_test2.txt0.1 KBrepro/length_test3.txt0.1 KBrepro/list_test.txt0.1 KBrepro/minimal_expr.txt0.0 KBrepro/poc.txt0.1 KBrepro/poc2.txt0.0 KBrepro/poc3.txt0.2 KBrepro/poc4.txt0.2 KBrepro/poc5.txt0.2 KBrepro/quote_test.txt0.1 KBrepro/redraw_poc.txt0.1 KBrepro/reeval_test.txt0.1 KBrepro/reeval_test2.txt0.1 KBrepro/result_poc.txt0.1 KBrepro/runtime_manifest.json0.6 KBrepro/short2_poc.txt0.1 KBrepro/short_poc.txt0.1 KBrepro/simple_expr.txt0.1 KBrepro/simple_poc.txt0.0 KBrepro/simplest_poc.txt0.0 KBrepro/single_quote.txt0.1 KBrepro/statusline_test.txt0.1 KBrepro/string_dict.txt0.1 KBrepro/test.vim0.2 KBrepro/test_flags.vim0.1 KBrepro/validation_verdict.json0.7 KBrepro/vim9_dict.txt0.1 KBrepro/working_poc.txt0.1 KBlogs/full_exploit.txt0.1 KBlogs/modeline_test.txt0.0 KBlogs/t1.txt0.0 KBlogs/vuln_variant/final_verification.log3.2 KBlogs/vuln_variant/ph_test.txt0.0 KBlogs/vuln_variant/printheader_fixed_test.txt0.0 KBlogs/vuln_variant/tabpanel_fixed.txt0.0 KBlogs/vuln_variant/tabpanel_fixed_test.txt0.0 KBlogs/vuln_variant/test1_modeline.txt0.0 KBlogs/vuln_variant/test1_output.txt0.0 KBlogs/vuln_variant/test3_output.txt0.0 KBlogs/vuln_variant/test3_printheader.txt0.1 KBlogs/vuln_variant/test4_modeline.txt0.1 KBlogs/vuln_variant/test4_output.txt0.0 KBlogs/vuln_variant/test6_output.txt0.0 KBlogs/vuln_variant/test7_output.txt0.0 KBlogs/vuln_variant/test7_titlestring.txt0.1 KBlogs/vuln_variant/ts_test.txt0.0 KBlogs/vuln_variant/variant_run.log3.2 KBlogs/vuln_variant/variant_run_final.log3.2 KBlogs/vuln_variant/variant_test1.txt0.1 KBlogs/vuln_variant/variant_test2.txt0.1 KBlogs/vuln_variant/variant_test3.txt0.1 KBvuln_variant/patch_analysis.md4.7 KBvuln_variant/source_identity.json0.7 KBvuln_variant/validation_verdict.json2.3 KBvuln_variant/variant_manifest.json2.3 KB