CVE-2026-27800

Name of the Vulnerable Software and Affected Versions Zed versions prior to 0.224.4

Description A Zip Slip (Path Traversal) issue exists in the extension archive extraction functionality. The extract zip() function, located in crates/util/src/archive.rs, does not validate ZIP entry filenames for path traversal sequences, such as ../. This allows a malicious extension to write files outside of its designated sandbox directory by downloading and extracting a crafted ZIP archive.

Recommendations Update to version 0.224.4 or later.