CVE-2026-44463
HIGH WAF: High
CVSS 7.8
Published: 2026-05-28
CWE-78
Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed by prepending environment variable assignments to allowlisted commands, hijacking program behavior (e.g., PAGER) to execute arbitrary code. This vulnerability is fixed in 0.229.0.
WAF Coverage Analysis
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| zed | zed | up to 0.229.0 |
References
- github.com (Exploit, Vendor Advisory)