Vim

Vim 9.2.0435 fixes an OS command injection in :find completion where backtick-enclosed shell commands inside the path option ran during Tab completion, with a modeline-set path enabling exploitation by simply opening a malicious file.

Neovim 0.12.0, released March 29, adds a native plugin manager, inline LSP completions, a redesigned message interface, LuaJIT-powered performance gains, and built-in HTTP requests, setting the stage for a 1.0 release targeted in the next development cycle.