HIGH🇬🇧 English

CVE-2026-27976

CVSS 8.8v3.1pub. 2026-02-26upd. 2026-03-05

Zed, a code editor, has an extension installer allows tar/gzip downloads. Prior to version 0.224.4, the tar extractor (`async_tar::Archive::unpack`) creates symlinks from the archive without validation, and the path guard (`writeable_path_from_extension`) only performs lexical prefix checks without resolving symlinks. An attacker can ship a tar that first creates a symlink inside the extension workdir pointing outside (e.g., `escape -> /`), then writes files through the symlink, causing writes to arbitrary host paths. This escapes the extension sandbox and enables code execution. Version 0.224.4 patches the issue.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Zed

    APP
    Zed
    < 0.224.4
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
RCE
CWE
Referencje

Powiązane podatności

CVE-2026-44466HIGH8.6ten sam produkt

Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash arithme...

CVE-2026-44461HIGH8.6ten sam produkt

Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that star...

CVE-2026-44463HIGH8.6ten sam produkt

Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed by prepending en...

CVE-2026-44465HIGH8.6ten sam produkt

Zed is a code editor. Prior to 0.227.1, Zed IDE executes arbitrary commands when opening a folder with a malic...

CVE-2026-27967HIGH7.1ten sam produkt

Zed, a code editor, has a symlink escape vulnerability in versions prior to 0.225.9 in Agent file tools (`read...