CVE-2026-44462 Zed: Allowlist Bypass via Bash Variable Expansion Chain in Terminal Tool Permissions

Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash variable expansion chaining $var@P, allowing arbitrary command execution under an allowlisted command prefix. This vulnerability is fixed in 0.229.0...

EUVD-2026-32938

Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash variable expansion chaining $var@P, allowing arbitrary command execution under an allowlisted command prefix. This vulnerability is fixed in 0.229.0...

CVE-2026-44462

Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash variable expansion chaining $var@P, allowing arbitrary command execution under an allowlisted command prefix. This vulnerability is fixed in 0.229.0...

CVE-2026-44465

Zed is a code editor. Prior to 0.227.1, Zed IDE executes arbitrary commands when opening a folder with a malicious .git/config file that abuses the core.fsmonitor Git configuration option. This allows an attacker to achieve Remote Code Execution RCE when a victim open a folder in untrusted mode...

CVE-2026-44461 Zed: Remote Command Injection via Unquoted Environment Variable Keys (SSH / WSL Remote)

Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key for example via project termin...

CVE-2026-44461

The CVE affects the Zed code editor prior to version 0.227.1. When Zed builds SSH/WSL remote commands, it places environment variable keys into the shell command string without proper quoting or validation. If an attacker can control an environment variable key (e.g., via project terminal setting...

CVE-2026-44461 Zed: Remote Command Injection via Unquoted Environment Variable Keys (SSH / WSL Remote)

Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key for example via project termin...

CVE-2026-44461

Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key for example via project termin...

EUVD-2026-32936

Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key for example via project termin...

RLSA-2026:19224 Important: vim security update

Vim Vi IMproved is an updated and improved version of the vi editor. Security Fixes: vim: arbitrary command execution via modeline sandbox bypass CVE-2026-34982 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to...

CVE-2026-7526 PDF Embedder <= 4.9.3 - Authenticated (Contributor+) Information Exposure via Block Editor Page

The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueueblockassets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key...

Zed 安全漏洞

Zed is a code editor developed by Zed Industries. Versions of Zed prior to 0.229.0 contained security vulnerabilities. These vulnerabilities stemmed from the terminal tool’s permission system, which could be exploited by adding environment variables before allowed commands, allowing the hijacking...

Tiny Technologies TinyMCE 跨站脚本漏洞

TinyMCE is a rich text editor developed by Tiny Technologies in the United States. Versions of TinyMCE prior to 5.11.1, 7.9.3, and 8.5.1 contained cross-site scripting vulnerabilities. These vulnerabilities stemmed from uncleaned data-mce- attributes, which could lead to storage-type XSS attacks...

Zed 操作系统命令注入漏洞

Zed is a code editor developed by Zed Industries. Versions of Zed prior to 0.229.0 contained a vulnerability related to operating system command injection. This vulnerability stemmed from the terminal tool permissions system, which could be bypassed through bash arithmetic extensions, allowing...

Zed 安全漏洞

Zed is a code editor developed by Zed Industries. Versions of Zed prior to 0.229.0 contained security vulnerabilities. These vulnerabilities stemmed from the terminal tool permission system’s ability to bypass the bash variable expansion chain, allowing for the execution of arbitrary commands und...

Zed 安全漏洞

Zed is a code editor developed by Zed Industries. Versions of Zed prior to 0.227.1 contained a security vulnerability. This vulnerability stemmed from the abuse of the core.fsmonitor Git configuration option when opening folders containing malicious.git/config files. This allowed attackers to...

Zed 安全漏洞

Zed is a code editor developed by Zed Industries. Versions of Zed prior to 0.227.1 contained security vulnerabilities. These vulnerabilities stemmed from the lack of shell references or validations for environment variable keys during SSH/WSL remote command execution. This allowed attackers to...

CVE-2026-44887

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's web-based configuration editor allows arbitrary Python code to be injected into pialert.conf. Since the background scan daemon loads this file via Python's exec, injected code executes as the...

EUVD-2026-32635

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's web-based configuration editor allows arbitrary Python code to be injected into pialert.conf. Since the background scan daemon loads this file via Python's exec, injected code executes as the...

CVE-2026-44887

CVE-2026-44887 affects Pi.Alert, a WIFI/LAN intruder detector with a web service. The vulnerability arises from the web-based configuration editor allowing arbitrary Python code to be injected into pialert.conf; the background scan daemon loads this file with Python’s exec(), causing the injected...