Zed-industries Zed
12 CVEs affecting Zed-industries Zed. Latest disclosed: 2026-05-28. Critical: 0, High: 9.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-27976 | High | 8.8 | 2026-02-25 | Zed, a code editor, has an extension installer allows tar/gzip downloads. Prior to version 0.224.4, the tar extractor (`async_tar::Archive::unpack`) creates sy… |
CVE-2026-44466 | High | 8.6 | 2026-05-28 | Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash arithmetic expansion $((...)), allowing execution of arb… |
CVE-2026-44465 | High | 8.6 | 2026-05-28 | Zed is a code editor. Prior to 0.227.1, Zed IDE executes arbitrary commands when opening a folder with a malicious .git/config file that abuses the core.fsmoni… |
CVE-2026-44463 | High | 8.6 | 2026-05-28 | Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed by prepending environment variable assignments to allowlisted com… |
CVE-2026-44461 | High | 8.6 | 2026-05-28 | Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable ke… |
CVE-2025-68433 | High | 7.8 | 2025-12-17 | Zed, a code editor, has an aribtrary code execution vulnerability in versions prior to 0.218.2-pre. The Zed IDE loads Model Context Protocol (MCP) configuratio… |
CVE-2025-68432 | High | 7.8 | 2025-12-17 | Zed, a code editor, has an aribtrary code execution vulnerability in versions prior to 0.218.2-pre. The Zed IDE loads Language Server Protocol (LSP) configurat… |
CVE-2026-27800 | High | 7.4 | 2026-02-25 | Zed, a code editor, has a Zip Slip (Path Traversal) vulnerability exists in its extension archive extraction functionality prior to version 0.224.4. The `extra… |
CVE-2026-27967 | High | 7.1 | 2026-02-25 | Zed, a code editor, has a symlink escape vulnerability in versions prior to 0.225.9 in Agent file tools (`read_file`, `edit_file`). It allows reading and writi… |
CVE-2026-44462 | Medium | 6.4 | 2026-05-28 | Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash variable expansion chaining (${var@P}), allowing arbitra… |
CVE-2026-25805 | Medium | 6.4 | 2026-02-10 | Zed is a multiplayer code editor. Prior to 0.219.4, Zed does not show with which parameters a tool is being invoked, when asking for allowance. Further it does… |
CVE-2025-55012 | | 2025-08-11 | Zed is a multiplayer code editor. Prior to version 0.197.3, in the Zed Agent Panel allowed for an AI agent to achieve Remote Code Execution (RCE) by bypassing… |