By weakness (CWE)
CWE-184: related vulnerabilities
CVEs classified under CWE-184. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
3 published vulnerabilities
- CVE-2026-44463HIGH 8.6
Zed, a modern code editor, contains a security flaw in how it controls which programs can run in the integrated terminal. An attacker can bypass these permission restrictions by sneaking environment variable assignments into commands that are supposed to be allowed. By manipulating variables like PAGER, an attacker can redirect the editor to run malicious code when it attempts to display output. This affects Zed versions before 0.229.0 and is resolved in that release.
- CVE-2026-44462MEDIUM 6.4
Zed is a popular code editor that includes a terminal tool with permission controls meant to restrict which commands can be executed. Prior to version 0.229.0, an attacker could bypass these restrictions by chaining bash variable expansion syntax—specifically the ${var@P} expansion—to execute arbitrary commands even when they appeared to violate the allowed command prefix rules. This requires user interaction (opening a malicious project or terminal configuration) but grants the attacker code execution within the editor's process context.
- CVE-2026-44287MEDIUM 6.3
FastGPT, an AI Agent building platform, contains a sandbox escape vulnerability in versions before 4.15.0-beta1. The issue stems from an incomplete regex filter designed to block dynamic imports in a JavaScript sandbox environment. An attacker with valid platform access can craft a specially formatted import statement using block comments to bypass the filter, gaining the ability to execute arbitrary system commands within the sandbox container. This allows an authenticated user to break out of the intended sandbox isolation and run code with the permissions of the sandbox process.