CVE-2026-44465

8.6 HIGH

Zed is a code editor

Published: 2026-05-28 · Last updated: 2026-06-02

Severity and scoring

CVSS: 8.6 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-78

Affected products

Vendor	Product
zed	zed

Description

Zed is a code editor. Prior to 0.227.1, Zed IDE executes arbitrary commands when opening a folder with a malicious .git/config file that abuses the core.fsmonitor Git configuration option. This allows an attacker to achieve Remote Code Execution (RCE) when a victim open a folder in untrusted mode. This vulnerability is fixed in 0.227.1.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44465
[Vendor advisory]https://github.com/zed-industries/zed/security/advisories/GHSA-fj2r-rmw6-h222
[Vendor advisory]https://github.com/zed-industries/zed/security/advisories/GHSA-fj2r-rmw6-h222

Related CVEs

Same vendor

CVE-2026-44466 — Zed is a code editor (8.6 HIGH)
CVE-2026-44463 — Zed is a code editor (8.6 HIGH)
CVE-2026-44462 — Zed is a code editor (6.4 MEDIUM)
CVE-2026-44461 — Zed is a code editor (8.6 HIGH)

Same CWE

CVE-2026-11527 — Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument...
CVE-2026-11526 — GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle
CVE-2026-46716 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (9.9 CRITICAL)
CVE-2026-42853 — ApostropheCMS is an open-source Node.js content management system (6.5 MEDIUM)
CVE-2026-48165 — MariaDB server is a community developed fork of MySQL server (8.0 HIGH)