April 1, 2026

Open text, open drama

Article URL →HN comments →

Mad Bugs: Vim vs. Emacs vs. Claude

AI says “open a file, get owned” — Vim races to fix, Emacs shrugs, comments explode

TLDR: AI-assisted sleuths found a “open a file, run code” trick; Vim patched fast while Emacs said it’s Git’s problem. Comments lit up with confusion over what RCE means, arguments about accountability, and the classic Vim-vs-Emacs rivalry, as a month of AI-found bugs promises more surprises

The nerd fight of the week: an AI named Claude helped uncover a “open a file, get hacked” trick in beloved text editors. In plain speak, RCE means “remote code execution” — code runs on your computer without you clicking anything. Vim shipped a fix fast (update to v9.2.0272), while Emacs maintainers waved it off as a Git thing, and the crowd went full popcorn. The bug hunters teased a whole month of AI-found flaws — MAD Bugs — and the comments turned into a block party.

One camp is raging about accountability, calling it the new early-2000s chaos. Another is confused-but-curious: “What does RCE mean?” asked a newcomer, while others asked how to turn off “modelines” — the behind-the-scenes settings in files that can trigger surprises. Meanwhile, the classic Vim vs. Emacs rivalry roared back: Vim fans bragged “patched in hours,” Emacs skeptics rolled eyes at the “not our bug” stance, and cynics joked the real exploit was summoning an editor that actually quits.

There were meme-y copypastas, security throwbacks (“feels like SQL injection all over again”), and big-picture handwringing about software makers dodging responsibility. The mood? Chaotic, nostalgic, and extremely online — with everyone waiting to see what AI breaks next

Key Points

  • A PoC demonstrated RCE in Vim triggered by opening a file; maintainers issued a fix and recommend upgrading to v9.2.0272.
  • A separate PoC showed RCE in GNU Emacs when opening a text file; maintainers declined to address it, attributing the issue to Git.
  • The bug discoveries were prompted via brief AI-oriented prompts, implying AI assistance (Claude) in identifying the flaws.
  • Full advisories for both the Vim and Emacs cases are referenced by the authors.
  • The authors launched “MAD Bugs: Month of AI-Discovered Bugs,” promising more AI-found vulnerability disclosures through April.

Hottest takes

"What does RCE mean?" — grimm8080
"Lack of accountability." — pjmlp
"the level of absurdity you get from reading something like that is insane" — Andebugulin

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.