CVE-2026-44461

Name of the Vulnerable Software and Affected Versions Zed versions prior to 0.227.1

Description Zed builds SSH/WSL remote commands as a shell command string starting with exec env ..., where environment variable keys are inserted without shell quoting or validation. An attacker who can control an environment variable key, such as through project terminal settings, can trigger shell expansions (e.g., $(...)) that are evaluated by the remote shell when a terminal is opened. This allows for arbitrary command execution on the remote host under the victim user's account.

Recommendations Update to version 0.227.1.