Recent changes to bugs

The ukraine image on the homepage direct to a "Page not found".

2025-12-26T13:36:24.019000Z

The https://eu-solidarity-ukraine.ec.europa.eu/eu-stands-ukraine_en on the homepage direct to a "Page not found".

news.gmane.org is dead, list archive links are broken

2023-11-30T17:49:00.674000Z

Links to mailing list archives at news.gmane.org are broken, because that site is gone for good:

https://lars.ingebrigtsen.no/2020/01/06/whatever-happened-to-news-gmane-org/#comment-6637

Such links are present on this page, but probably elsewhere also:
https://www.vim.org/maillist.php#vim-dev

There is still nntp://news.gmane.io/, but no web interface. See the above blog post for details.

I don't know if there is another list archive available, perhaps https://marc.info/?l=vim-dev would suffice.

Uploading new version fails with file is empty error

2022-07-26T12:06:12.566000Z

I've just tried to upload new version of https://www.vim.org/scripts/script.php?script_id=3893 but got "viewdoc.zip is empty, are you sure you specified the correct path?" error. I'm 100% sure the file is not empty and it was correctly sent (I've checked content of browser's POST request).

Dark themed browser issues

2019-10-14T17:30:37.781000Z

Both fg and bg colors should be defined together.

Downloads site gives misleading information about Windows downloads

2019-06-13T15:54:56.263000Z

In light of the recent modeline security issue (CVE-2019-12735), many users are going to want to update their version of Vim to the latest secure version. However, the portion of the Downloading Vim site (https://www.vim.org/download.php) discussing Windows downloads is misleading and out of date. The 8.1 builds were uploaded on 2018-05-18, and the Cream builds (which are described as being "the latest version with all patches included") are from 2011-01-24 and 2018-03-19, depending on whether you get the version with or without the Cream patches. The only updated versions are the nightlies available through the vim-win32-installer GitHub (https://github.com/vim/vim-win32-installer/releases) and Yongwei's build (http://wyw.dcweb.cn/index.htm#download).

The portion of the page discussing Windows installation options should be rewritten to clarify that the nightlies are the only way to get recent, updated versions of Vim for Windows. The other options included in the archives (https://ftp.nluug.nl/pub/vim/pc/ and ftp://ftp.vim.org/pub/vim/pc/) may be discussed in terms of downloading old versions or unusual installation use cases, but it should be made clear that GitHub is the preferred location to download from.

Normally I would call this sort of gripe a feature request, not a bug, but due to the security implications of recommending outdated, insecure versions, I feel it rises to the level of bug.

#109 Stored Cross-site Scripting (XSS) vulnerability in Vim Online

2019-04-21T20:16:47.130000Z

I hope you would close this ticket. I didn't mark the payloads as code in the visual editor in SourceForge, due to which they got executed. I have created a new ticket with the issue mentioned in a proper way.

Thanks,
Binit Ghimire

Stored Cross-site Scripting (XSS) vulnerability in Vim Online

2019-04-21T20:13:41.008000Z

Hello sir/madam!

I am Binit Ghimire. I was able to discover a Stored Cross-site Scripting (XSS) vulnerability in the official Vim website (https://www.vim.org/).

You can reproduce the vulnerability by following these steps:
1. Visit https://www.vim.org/, click on "My Account" in the sidebar and then click on "Sign up now." or directly visit this page: https://www.vim.org/account/register.php
2. You will see an account creation form. Fill the "user name", "password" and "confirm password" fields as you want and write "I am human" in the last field. For the other three fields, enter the following XSS payloads:

first name: "><svg onload=alert(document.domain)>
last name: "><svg onload=alert(document.domain)>
email: "><svg/onload=alert(document.domain)>"@x.y

Now, press enter or click on the "create" button.
When your account is created, you will be automatically logged in to your account and sent to this webpage: https://www.vim.org/account/index.php. If you haven't logged in to your account, visit https://www.vim.org/account/login.php to use your username and password for logging in.
When you have logged in to your account, visit https://www.vim.org/account/index.php and click on "edit account info" or visit: https://www.vim.org/account/edit_account.php

When you reach the "Edit Account" page, your XSS payloads will be executed. This means the "first name", "last name" and "email" fields are vulnerable to Stored Cross-site Scripting which is a persistent vulnerability stored permanently in the database.

This Stored Cross-site Scripting vulnerability can be fixed by sanitizing or escaping the user's input in the input field.

Here, the XSS payloads don't get executed when the first name and last name are displayed in the website, which means they are properly sanitized or escaped while displaying in the website. But, just doing so isn't enough to prevent from stored XSS as I was able to execute my payloads in the website.

In the "Edit Account" page, the contents of the "value" attribute of respective input elements for first name, last name and email also need to be sanitized or escaped properly. Doing so will help in resolving this vulnerability.

I usually use htmlspecialchars() and htmlentities() PHP functions to prevent XSS in my websites.

I hope this vulnerability would be resolved as soon as possible.

You can contact me at my email: thebinitghimire@gmail.com or my Twitter handle: @WHOISbinit for any queries regarding this issue.

Thanks,
Binit Ghimire

Stored Cross-site Scripting (XSS) vulnerability in Vim Online

2019-04-21T20:05:54.638000Z

Hello sir/madam!

I am Binit Ghimire. I was able to discover a Stored Cross-site Scripting (XSS) vulnerability in the official Vim website (https://www.vim.org/).

Now, press enter or click on the "create" button.
When your account is created, you will be automatically logged in to your account and sent to this webpage: https://www.vim.org/account/index.php. If you haven't logged in to your account, visit https://www.vim.org/account/login.php to use your username and password for logging in.
When you have logged in to your account, visit https://www.vim.org/account/index.php and click on "edit account info" or visit: https://www.vim.org/account/edit_account.php

This Stored Cross-site Scripting vulnerability can be fixed by sanitizing or escaping the user's input in the input field.

In the "Edit Account" page, the contents of the "value" attribute of respective input elements for first name, last name and email also need to be sanitized or escaped properly. Doing so will help in resolving this vulnerability.

I usually use htmlspecialchars() and htmlentities() PHP functions to prevent XSS in my websites.

I hope this vulnerability would be resolved as soon as possible.

You can contact me at my email: thebinitghimire@gmail.com or my Twitter handle: @WHOISbinit for any queries regarding this issue.

Thanks,
Binit Ghimire

Vim scripts pages redirect to homepage

2018-06-12T21:31:31.518000Z

When I open an "old" link like this one: http://vim.sourceforge.net/scripts/script.php?script_id=302
It first (immediately) redirects me to: https://vim.sourceforge.io/scripts/script.php?script_id=302

And after that it follows with a rewrite to: https://vim8.org/

The worst thing is that it's done in such a way that it breaks the back button too so you can't go to the script page anymore...

Spelling error "formery" on maillist.php

2018-03-27T05:07:22.460000Z

There's a spelling error on vim.org/maillist.php under the vim.org mailing lists section.

"There formery was a vim-multibyte list" should be "There formerly was a vim-multibyte list".

I've attached a diff file for the generated html page, but I'll post it here as well:

453c453
< There formery was a vim-multibyte list, but now that UTF-8 is widespread
---
> There formerly was a vim-multibyte list, but now that UTF-8 is widespread