CVE-2026-27976HIGH 8.8EPSS p38.2%

CVE-2026-27976CVE-2026-27976

Description

Zed, a code editor, has an extension installer allows tar/gzip downloads. Prior to version 0.224.4, the tar extractor (`async_tar::Archive::unpack`) creates symlinks from the archive without validation, and the path guard (`writeable_path_from_extension`) only performs lexical prefix checks without resolving symlinks. An attacker can ship a tar that first creates a symlink inside the extension workdir pointing outside (e.g., `escape -> /`), then writes files through the symlink, causing writes to arbitrary host paths. This escapes the extension sandbox and enables code execution. Version 0.224.4 patches the issue.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.49% probability of exploitation · percentile 38.2% · 2026-06-18T12:00:27Z
Published2026-02-26
Last modified2026-03-05

Underlying weaknesses· 1

CWE-61

References

  1. https://github.com/zed-industries/zed/security/advisories/GHSA-59p4-3mhm-qm3r

1

TypeTargetConfidenceTier
WeaknessUNIX Symbolic Link (Symlink) Followingcwe-610%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-44462
CVE
CVE-2026-44463
CVE
CVE-2026-44466
CVE
CVE-2026-44461
CVE
CVE-2026-10732
CVE
CVE-2026-44465
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.