Claude Code Finds Zero-Days in Vim, Emacs

This is the point where “AI coding assistant” starts looking less like autocomplete and more like an offensive security toolchain. The model didn’t just identify bugs; it helped move from prompt to proof-of-concept fast enough to matter.

• –Claude Code found a Vim flaw in minutes and helped reason toward a sandbox-bypass exploit path, which shows how quickly LLMs can compress classic vuln research workflows
• –The Emacs finding is more worrying because it suggests long-lived, low-visibility attack surfaces in mature codebases can sit unnoticed until an agent can systematically inspect them
• –For defenders, this raises the bar for secure-by-default assumptions around old developer tools and plugins, especially anything that processes untrusted files or repo metadata
• –For security teams, agentic code tools are now credible force multipliers for both red teaming and patch validation, which means disclosure pipelines may need to move faster
• –The broader signal is that “AI in coding” now includes vulnerability discovery, exploit prototyping, and remediation support, not just feature work