CVE-2026-44462
MEDIUM NVDCVSS Score
6.4
Severity
MEDIUM
Source
NVD
Published
May 28, 2026
Description
Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash variable expansion chaining (${var@P}), allowing arbitrary command execution under an allowlisted command prefix. This vulnerability is fixed in 0.229.0.