PT-2026-39599 · Canonical+2 · Zed

Lociko

Published

2026-05-11

Updated

2026-05-28

CVE-2026-44463

CVSS v3.1

8.6

High

Vector

AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Zed versions prior to 0.229.0

Description The terminal tool permission system in the Zed code editor can be bypassed by prepending environment variable assignments to allowlisted commands. This allows an attacker to hijack program behavior, such as using the PAGER variable, to execute arbitrary code.

Recommendations Update to version 0.229.0.

Fix

OS Command Injection

Incomplete List of Disallowed Inputs

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-184

Related Identifiers

CVE-2026-44463

Affected Products

Zed

PT-2026-39599 · Canonical+2 · Zed

CVE-2026-44463

Weakness Enumeration

Related Identifiers

Affected Products

References · 6