Security researcher Armin Razmjou created a proof-of-concept attack demonstrating how an adversary can compromise a Linux system via Vim or Neowim. He said Vim versions before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution. The National Institute of Standards and Technology warns the bug (CVE-2019-12735) allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline
Source: https://threatpost.com/linux-command-line-editors-high-severity-bug/145569/