A simple prompt sent Claude Code on a mission that uncovered major security vulnerabilities in popular text editors — and then suggested ways to exploit them.

InfoWorld is a source of news, analysis, and commentary on technology trends, IT strategies, and business innovation. With a focus on enterprise technology and digital transformation, InfoWorld offers insights and guidance for IT decision-makers, software developers, and technology professionals. From  articles on cloud computing and cybersecurity to product reviews and industry trends, InfoWorld helps readers navigate the complexities of modern IT environments and make informed decisions to drive business success.

InfoWorld

Researcher Hung Nguyen from AI red teaming company Calif used simple prompts to Anthropic's Claude Code to discover zero-day remote code execution vulnerabilities in both Vim and GNU Emacs. For Vim, Claude Code found missing security checks in a 2025 tabpanel feature (CVE-2026-34714, CVSS 9.2), which was quickly patched in version 9.2.0272. For GNU Emacs, it uncovered a vulnerability dating back to 2018 related to Git integration that allows arbitrary code execution just by opening a file — this remains unpatched as Emacs maintainers consider it a Git problem. The findings highlight how AI tools can rapidly surface vulnerabilities in old codebases that went undetected for years, raising concerns about both the democratization of security research and the potential for malicious exploitation.

Vim and GNU Emacs: Claude Code helpfully found zero-day exploits for both