CVE-2026-44461EPSS p13.9%

CVE-2026-44461CVE-2026-44461

zed / zed

Description

Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key (for example via project terminal settings), shell expansions in the key (such as $(...)) are evaluated by the remote shell when a terminal is opened. This can lead to arbitrary command execution on the remote host under the victim user's account. This vulnerability is fixed in 0.227.1.

Scoring

CVSS 8.6 ()
VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS0.23% probability of exploitation · percentile 13.9% · 2026-06-19T12:03:05Z
Last modified2026-06-03

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-44462
CVE
CVE-2026-44463
CVE
CVE-2026-44466
CVE
CVE-2026-44465
CVE
CVE-2026-25805
CVE
CVE-2026-27976
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.