Vim before 8.1.1365 is vulnerable to arbitrary code execution via modelines by opening a specially crafted text file.
A detailed description of the issue was published here:
https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md
Although the original vulnerability was patched with 8.1.1365, I would suggest to update at least to vim 8.1.1368, as the follow-up patches add the new option :set modelineexpr as another mitigation for similar attacks.
Thanks for pointing out. Will update.
Updated to latest and pushed a release out. Closing.
The changelog for snapshot-156 incorrectly claims the vulnerability was fixed in Vim 8.1.265.
@lilyball Thanks for pointing that out. I fixed the typo in release page and the auto-updater's message.
Most helpful comment
Thanks for pointing out. Will update.