CVE-2026-44461

HIGH

Zed: Remote Command Injection via Unquoted Environment Variable Keys (SSH / WSL Remote)

Title source: cna

Description

Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key (for example via project terminal settings), shell expansions in the key (such as $(...)) are evaluated by the remote shell when a terminal is opened. This can lead to arbitrary command execution on the remote host under the victim user's account. This vulnerability is fixed in 0.227.1.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/zed-industries/zed/security/advisories/GHSA-63qj-jc2q-7hg5

Scores

CVSS v3 8.6

EPSS 0.0023

EPSS Percentile 13.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (2)

zed/zed < 0.227.1

zed-industries/zed < 0.227.1

Published May 28, 2026

Tracked Since May 28, 2026