Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key (for example via project terminal settings), shell expansions in the key (such as $(...)) are evaluated by the remote shell when a terminal is opened. This can lead to arbitrary command execution on the remote host under the victim user's account. This vulnerability is fixed in 0.227.1.
References
| Link | Resource |
|---|---|
| https://github.com/zed-industries/zed/security/advisories/GHSA-63qj-jc2q-7hg5 | Exploit Vendor Advisory |
| https://github.com/zed-industries/zed/security/advisories/GHSA-63qj-jc2q-7hg5 | Exploit Vendor Advisory |
Configurations
History
03 Jun 2026, 00:58
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:zed:zed:*:*:*:*:*:*:*:* | |
| First Time |
Zed zed
Zed |
|
| References | () https://github.com/zed-industries/zed/security/advisories/GHSA-63qj-jc2q-7hg5 - Exploit, Vendor Advisory |
28 May 2026, 18:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/zed-industries/zed/security/advisories/GHSA-63qj-jc2q-7hg5 - |
28 May 2026, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-28 17:16
Updated : 2026-06-03 00:58
NVD link : CVE-2026-44461
Mitre link : CVE-2026-44461
CVE.ORG link : CVE-2026-44461
JSON object : View
Products Affected
zed
- zed
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')