CVE-2026-25805

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25805

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25805.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25805

Aliases

GHSA-f2g4-87h6-4pxq

Published

2026-02-10T17:27:49.390Z

Modified

2026-02-11T02:35:59.032478Z

Severity

6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Zed does not show Parameter Values for MCP Tool Calls. Users cannot detect tool poisoning.

Details

Zed is a multiplayer code editor. Prior to 0.219.4, Zed does not show with which parameters a tool is being invoked, when asking for allowance. Further it does not show after the tool was being invoked, which parameters were used. Thus, maybe unwanted or even malicious values could be used without the user having a chance to notice it. Patched in Zed Editor 0.219.4 which includes expandable tool call details.

Database specific

{
    "cwe_ids": [
        "CWE-356"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25805.json"
}

References

Affected packages

Git / github.com/zed-industries/zed

Affected ranges

Type

GIT

Repo

https://github.com/zed-industries/zed

Events

Introduced

Fixed

8a79bd54bcf794b92047a232532925fc262a78ef

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.219.4"
        }
    ]
}

Affected versions

Other

benchmark-m4

nightly-1

vConradTest

collab-v0.*

collab-v0.10.0

collab-v0.11.0

collab-v0.12.0

collab-v0.12.1

collab-v0.12.3

collab-v0.12.4

collab-v0.12.5

collab-v0.13.0

collab-v0.13.1

collab-v0.14.0

collab-v0.14.1

collab-v0.14.2

collab-v0.15.0

collab-v0.16.0

collab-v0.17.0

collab-v0.18.0

collab-v0.19.0

collab-v0.2.0

collab-v0.2.1

collab-v0.2.2

collab-v0.2.3

collab-v0.2.4

collab-v0.2.5

collab-v0.20.0

collab-v0.21.0

collab-v0.22.0

collab-v0.22.1

collab-v0.23.0

collab-v0.23.1

collab-v0.23.2

collab-v0.23.3

collab-v0.24.0

collab-v0.25.0

collab-v0.26.0

collab-v0.27.0

collab-v0.28.0

collab-v0.29.0

collab-v0.29.1

collab-v0.3.0

collab-v0.3.1

collab-v0.3.10

collab-v0.3.11

collab-v0.3.12

collab-v0.3.13

collab-v0.3.14

collab-v0.3.2

collab-v0.3.3

collab-v0.3.4

collab-v0.3.5

collab-v0.3.6

collab-v0.3.7

collab-v0.3.8

collab-v0.3.9

collab-v0.30.0

collab-v0.30.1

collab-v0.31.0

collab-v0.32.0

collab-v0.33.0

collab-v0.34.0

collab-v0.35.0

collab-v0.36.0

collab-v0.36.1

collab-v0.37.0

collab-v0.38.0

collab-v0.39.0

collab-v0.4.0

collab-v0.4.1

collab-v0.4.2

collab-v0.40.0

collab-v0.40.1

collab-v0.41.0

collab-v0.42.0

collab-v0.42.1

collab-v0.43.0

collab-v0.44.0

collab-v0.5.0

collab-v0.5.1

collab-v0.5.2

collab-v0.5.3

collab-v0.5.4

collab-v0.6.0

collab-v0.6.1

collab-v0.6.2

collab-v0.7.0

collab-v0.7.1

collab-v0.7.2

collab-v0.8.0

collab-v0.8.1

collab-v0.8.2

collab-v0.8.3

collab-v0.9.0

v0.*

v0.1

v0.10

v0.10.1

v0.11

v0.11.0

v0.12

v0.13

v0.13.1

v0.14

v0.14.1

v0.15.0

v0.15.1

v0.15.2

v0.16.0

v0.17.0

v0.18.0

v0.18.1

v0.19.0

v0.2

v0.2.1

v0.2.2

v0.20

v0.20.0

v0.21.0

v0.219.0-pre

v0.219.1-pre

v0.219.2-pre

v0.219.3-pre

v0.22.0

v0.23.0

v0.24.0

v0.24.1

v0.25.0

v0.26.0

v0.27.0

v0.28.0

v0.28.1

v0.29.0

v0.3

v0.3.1

v0.30.0

v0.31.0

v0.32.0

v0.33.0

v0.34.0

v0.35.0

v0.36.0

v0.36.1

v0.37.0

v0.38.0

v0.39.0

v0.4

v0.40.0

v0.41.0

v0.42.0

v0.43.0

v0.44.0

v0.44.1

v0.45.0

v0.46.0

v0.47.0

v0.47.1

v0.48.0

v0.48.1

v0.49.0

v0.49.1

v0.5

v0.50.0

v0.51.0

v0.51.1

v0.52.0

v0.53.0

v0.53.1

v0.54.0

v0.54.1

v0.55.0

v0.56.0

v0.57.0

v0.58.0

v0.59.0

v0.6

v0.60.0

v0.60.1

v0.60.2

v0.60.3

v0.60.4

v0.61.0

v0.7

v0.8.0

v0.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25805.json"