By vendor
Zed vulnerabilities
Known CVEs affecting Zed products, prioritized by severity, with SEC.co remediation and detection guidance.
3 published vulnerabilities
- CVE-2026-44461HIGH 8.6
Zed, a modern code editor, has a vulnerability in how it constructs commands for remote development over SSH or WSL (Windows Subsystem for Linux). When opening a terminal in a remote session, Zed builds a shell command that includes environment variables, but it doesn't properly escape or validate the names of those variables. An attacker who can inject a malicious environment variable name—such as through project-level terminal settings—can embed shell commands within that name. When the remote shell executes the command, it interprets these embedded instructions, allowing arbitrary code execution on the remote machine under the user's privileges. The flaw has been patched in version 0.227.1.
- CVE-2026-44463HIGH 8.6
Zed, a modern code editor, contains a security flaw in how it controls which programs can run in the integrated terminal. An attacker can bypass these permission restrictions by sneaking environment variable assignments into commands that are supposed to be allowed. By manipulating variables like PAGER, an attacker can redirect the editor to run malicious code when it attempts to display output. This affects Zed versions before 0.229.0 and is resolved in that release.
- CVE-2026-44462MEDIUM 6.4
Zed is a popular code editor that includes a terminal tool with permission controls meant to restrict which commands can be executed. Prior to version 0.229.0, an attacker could bypass these restrictions by chaining bash variable expansion syntax—specifically the ${var@P} expansion—to execute arbitrary commands even when they appeared to violate the allowed command prefix rules. This requires user interaction (opening a malicious project or terminal configuration) but grants the attacker code execution within the editor's process context.