diff --git a/0001-patch-9.2.0357-security-command-injection-via-backti.patch b/0001-patch-9.2.0357-security-command-injection-via-backti.patch
new file mode 100644
index 00000000..0e4b1e7e
--- /dev/null
+++ b/0001-patch-9.2.0357-security-command-injection-via-backti.patch
@@ -0,0 +1,74 @@
+From c78194e41d5a0b05b0ddf383b6679b1503f977fb Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Wed, 15 Apr 2026 20:17:17 +0000
+Subject: [PATCH] patch 9.2.0357: [security]: command injection via backticks
+ in tag files
+
+Problem:  [security]: command injection via backticks in tag files
+          (Srinivas Piskala Ganesh Babu, Andy Ngo)
+Solution: Disallow backticks before attempting to expand filenames.
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8
+
+Supported by AI
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/tag.c                    |  4 +++-
+ src/testdir/test_tagjump.vim | 24 ++++++++++++++++++++++++
+ src/version.c                |  2 ++
+ 3 files changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/src/tag.c b/src/tag.c
+index d3e27e602..0f12e384b 100644
+--- a/src/tag.c
++++ b/src/tag.c
+@@ -4137,8 +4137,10 @@ expand_tag_fname(char_u *fname, char_u *tag_fname, int expand)
+ 
+     /*
+      * Expand file name (for environment variables) when needed.
++     * Disallow backticks, they could execute arbitrary shell
++     * commands.  This is not needed for tag filenames.
+      */
+-    if (expand && mch_has_wildcard(fname))
++    if (expand && mch_has_wildcard(fname) && vim_strchr(fname, '`') == NULL)
+     {
+ 	ExpandInit(&xpc);
+ 	xpc.xp_context = EXPAND_FILES;
+diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim
+index bbab3c70e..c0fa7b02e 100644
+--- a/src/testdir/test_tagjump.vim
++++ b/src/testdir/test_tagjump.vim
+@@ -258,4 +258,28 @@
+   bwipe!
+ endfunc
+
++" Test that backtick expressions in tag filenames are not expanded.
++" This prevents command injection via malicious tags files.
++func Test_tag_backtick_filename_not_expanded()
++  let pwned_file = 'Xtags_pwnd'
++  call assert_false(filereadable(pwned_file))
++
++  let tagline = "main\t`touch " . pwned_file . "`\t/^int main/;\"\tf"
++  call writefile([tagline], 'Xbt_tags')
++  call writefile(['int main(int argc, char **argv) {', '}'], 'Xbt_main.c')
++
++  set tags=Xbt_tags
++  sp Xbt_main.c
++
++  " The :tag command should fail to find the file, but must NOT execute
++  " the backtick shell command.
++  call assert_fails('tag main', 'E429:')
++  call assert_false(filereadable(pwned_file))
++
++  set tags&
++  call delete('Xbt_tags')
++  call delete('Xbt_main.c')
++  bwipe!
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.54.0
+
diff --git a/vim.spec b/vim.spec
index 11a4b791..28566adb 100644
--- a/vim.spec
+++ b/vim.spec
@@ -24,7 +24,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 23%{?dist}
+Release: 24%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: vim.sh
@@ -161,6 +161,10 @@ Patch3054: 0001-patch-9.2.0277-tests-test_modeline.vim-fails.patch
 Patch3055: 0001-patch-9.2.0280-security-path-traversal-issue-in-zip.patch
 Patch3056: 0001-patch-9.2.0299-zip-may-write-using-absolute-paths.patch
 Patch3057: 0001-patch-9.2.0304-zip-block-absolute-paths-in-Extract.patch
+# RHEL-171485 CVE-2026-41411 vim: Command injection via backticks in tag files
+# https://redhat.atlassian.net/browse/RHEL-171485
+# https://github.com/vim/vim/commit/c78194e41d5a0b05b0ddf383b6679b1503f977fb
+Patch3058: 0001-patch-9.2.0357-security-command-injection-via-backti.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -399,6 +403,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch -P 3055 -p1 -b .zip-path-traversal
 %patch -P 3056 -p1 -b .zip-abs-write
 %patch -P 3057 -p1 -b .zip-abs-extract
+%patch -P 3058 -p1 -b .tag-backtick-inject
 
 %build
 %if 0%{?rhel} > 7
@@ -917,6 +922,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %{_datadir}/icons/locolor/*/apps/*
 
 %changelog
+* Thu May 21 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-24
+- CVE-2026-41411 vim: Command injection via backticks in tag files
+
 * Wed May 20 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-23
 - RHEL-170126 CVE-2026-35177 vim: Vim zip.vim plugin: Arbitrary file overwrite
   via path traversal bypass