Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.
Conclusion & alert: CVE-2025-53906 is rated Exploit Available (50/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.73%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.09% | 0.73% | +0.64% |
| 2 | 2026-05-11 | 0.01% | 0.09% | +0.08% |
| 3 | 2025-07-16 | — | 0.01% | — |
Full EPSS history (3 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 4.1 | 3.1 | MEDIUM |
|
1.0 | 2.7 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2025-53906: 1 source package rows (vim); 229 state rows across 5 repos (3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 0, open 229. | https://security.alpinelinux.org/vuln/CVE-2025-53906 |
debian
|
not yet assigned | CVE-2025-53906 not yet assigned priority: Debian including 1 source packages (vim), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 3, resolved 2. | https://security-tracker.debian.org/tracker/CVE-2025-53906 |
gentoo
|
high | CVE-2025-53906: 1 GLSA(s) (202601-02), 3 atom(s) (app-editors/gvim, app-editors/vim, app-editors/vim-core); latest impact high. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2025-53906 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2025-53906 |
suse
|
medium | CVE-2025-53906 severity moderate: SUSE including 360 source package names (13.2-9.95:glibc-2.38-slfo.1.1_6.1, 13.2-9.95:glibc-locale-2.38-slfo.1.1_6.1, …), 1162 product×package rows across 348 product lines (Container rancher/elemental-channel/sl-micro, Container suse/manager/5.0/x86_64/server, … (348 product lines)): Fixed 930, Known Affected 226, First Fixed 6. | https://www.suse.com/security/cve/CVE-2025-53906/ |
ubuntu
|
medium | CVE-2025-53906 medium priority: Ubuntu including 1 source packages (vim), 8 status rows across 8 suites (bionic, focal, jammy, noble, plucky, trusty, upstream, xenial): ignored 5, released 2, needs-triage 1. | https://ubuntu.com/security/CVE-2025-53906 |