“An attacker who can ship a crafted file to a sufferer achieves arbitrary command execution with the privileges of the consumer operating Vim,” Vim maintainers famous in their security advisory. “The assault requires solely that the sufferer opens the file; no additional interplay is required.”
GNU Emacs ‘forever-day’
Shocked, Nguyen then jokingly urged Claude Code discover the identical sort of flaw in a second textual content editor, GNU Emacs.
Claude Code obliged, discovering a zero-day vulnerability, courting again to 2018, in the way in which this system interacts with the Git model management system that might make it doable to execute malicious code just by opening a file.
“Opening a file in GNU Emacs can set off arbitrary code execution via model management (git), most requiring zero consumer interplay past the file open itself. Probably the most extreme discovering requires no file-local variables in any respect — merely opening any file inside a listing containing a crafted .git/ folder executes attacker-controlled instructions,” he wrote.
One mounted, one not
When notified, Vim’s maintainers rapidly mounted their situation, recognized as CVE-2026-34714 with a CVSS rating of 9.2, in model 9.2.0272.
Sadly, addressing the GNU Emacs vulnerability, which is presently and not using a CVE identifier, isn’t as easy. Its maintainers consider it to be an issue with Git, and declined to deal with the problem; in his put up, Nguyen suggests manual mitigations. The susceptible variations are 30.2 (steady launch) and 31.0.50 (growth).
