Welcome to Vim Sh*tty 2000
Proof-of-concept text files are now available that, when opened in a vulnerable installation of the Vim and Neovim, will execute commands on the underlying machine, or even open a backdoor.
Bug-hunter Armin Razmjou this week documented a security hole, designated CVE-2019-12735, in the popular text and source code editors that can be potentially exploited by malicious documents to commandeer victims' computers when opened.
The vulnerability is present in Vim versions prior to 8.1.1365, and Neovim builds before 0.3.6.
Razmjou reported the issue to the maintainers of both applications on May 22.
Vim had a patch out by May 23, and Neovim released its fix on May 29.