CVE-2026-44463

8.6 HIGH

Zed is a code editor

Published: 2026-05-28 · Last updated: 2026-06-03

Severity and scoring

CVSS: 8.6 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-184, CWE-78

Affected products

Vendor	Product
zed	zed

Description

Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed by prepending environment variable assignments to allowlisted commands, hijacking program behavior (e.g., PAGER) to execute arbitrary code. This vulnerability is fixed in 0.229.0.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44463
[Vendor advisory]https://github.com/zed-industries/zed/security/advisories/GHSA-c3g6-c3ff-69cg

Related CVEs

Same vendor

CVE-2026-44466 — Zed is a code editor (8.6 HIGH)
CVE-2026-44465 — Zed is a code editor (8.6 HIGH)
CVE-2026-44462 — Zed is a code editor (6.4 MEDIUM)
CVE-2026-44461 — Zed is a code editor (8.6 HIGH)

Same CWE

CVE-2026-11527 — Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument...
CVE-2026-11526 — GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle
CVE-2026-53836 — OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in PowerShell encoded-command handling that allows attackers to exec... (8.8 HIGH)
CVE-2026-46716 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (9.9 CRITICAL)
CVE-2026-42853 — ApostropheCMS is an open-source Node.js content management system (6.5 MEDIUM)