CVE-2026-44461

Source
https://cve.org/CVERecord?id=CVE-2026-44461
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44461.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44461
Aliases
  • GHSA-63qj-jc2q-7hg5
Downstream
Published
2026-05-28T16:08:07.304Z
Modified
2026-07-08T08:13:29.928593819Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Zed: Remote Command Injection via Unquoted Environment Variable Keys (SSH / WSL Remote)
Details

Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key (for example via project terminal settings), shell expansions in the key (such as $(...)) are evaluated by the remote shell when a terminal is opened. This can lead to arbitrary command execution on the remote host under the victim user's account. This vulnerability is fixed in 0.227.1.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44461.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-78"
    ]
}
References

Affected packages

Git / github.com/zed-industries/zed

Affected ranges

Type
GIT
Repo
https://github.com/zed-industries/zed
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:zed:zed:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.227.1"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

Other
benchmark-m4
collab-production
collab-staging
extension-cli
extension-workflows
nightly
vConradTest
collab-v0.*
collab-v0.10.0
collab-v0.11.0
collab-v0.12.0
collab-v0.12.1
collab-v0.12.4
collab-v0.12.5
collab-v0.13.0
collab-v0.13.1
collab-v0.14.0
collab-v0.14.1
collab-v0.14.2
collab-v0.15.0
collab-v0.16.0
collab-v0.17.0
collab-v0.18.0
collab-v0.19.0
collab-v0.2.0
collab-v0.2.1
collab-v0.2.2
collab-v0.2.3
collab-v0.2.4
collab-v0.2.5
collab-v0.20.0
collab-v0.21.0
collab-v0.22.0
collab-v0.22.1
collab-v0.23.0
collab-v0.23.1
collab-v0.23.2
collab-v0.23.3
collab-v0.24.0
collab-v0.25.0
collab-v0.26.0
collab-v0.27.0
collab-v0.29.0
collab-v0.29.1
collab-v0.3.0
collab-v0.3.1
collab-v0.3.3
collab-v0.3.4
collab-v0.30.0
collab-v0.30.1
collab-v0.31.0
collab-v0.32.0
collab-v0.33.0
collab-v0.34.0
collab-v0.35.0
collab-v0.36.0
collab-v0.36.1
collab-v0.37.0
collab-v0.38.0
collab-v0.39.0
collab-v0.4.0
collab-v0.4.1
collab-v0.4.2
collab-v0.40.0
collab-v0.40.1
collab-v0.41.0
collab-v0.42.0
collab-v0.42.1
collab-v0.43.0
collab-v0.44.0
collab-v0.5.0
collab-v0.5.1
collab-v0.5.2
collab-v0.5.3
collab-v0.5.4
collab-v0.6.0
collab-v0.6.1
collab-v0.6.2
collab-v0.7.0
collab-v0.7.1
collab-v0.7.2
collab-v0.8.0
collab-v0.8.1
collab-v0.8.2
collab-v0.8.3
collab-v0.9.0
v0.*
v0.1
v0.10
v0.10.1
v0.11
v0.11.0
v0.12
v0.13
v0.13.1
v0.14
v0.14.1
v0.15.0
v0.15.1
v0.15.2
v0.16.0
v0.17.0
v0.18.0
v0.18.1
v0.19.0
v0.2
v0.2.1
v0.2.2
v0.20
v0.20.0
v0.21.0
v0.22.0
v0.227.0-pre
v0.23.0
v0.24.0
v0.24.1
v0.25.0
v0.26.0
v0.27.0
v0.28.0
v0.28.1
v0.29.0
v0.3
v0.3.1
v0.30.0
v0.31.0
v0.32.0
v0.33.0
v0.34.0
v0.35.0
v0.36.0
v0.36.1
v0.37.0
v0.38.0
v0.39.0
v0.4
v0.40.0
v0.41.0
v0.42.0
v0.43.0
v0.44.0
v0.44.1
v0.45.0
v0.46.0
v0.47.0
v0.47.1
v0.48.0
v0.48.1
v0.49.0
v0.49.1
v0.5
v0.51.0
v0.51.1
v0.52.0
v0.53.0
v0.53.1
v0.54.0
v0.54.1
v0.55.0
v0.56.0
v0.57.0
v0.58.0
v0.59.0
v0.6
v0.60.0
v0.60.1
v0.60.2
v0.60.3
v0.60.4
v0.61.0
v0.7
v0.8.0
v0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44461.json"