CVE-2026-27967

High CVSS: 7.1

Zed, a code editor, has a symlink escape vulnerability in versions prior to 0.225.9 in Agent file tools (`read_file`, `edit_file`). It allows reading and writing files **outside the project directory** when a project contains symbolic links pointing to external paths. This bypasses the intended workspace boundary and privacy protections (`file_scan_exclusions`, `private_files`), potentially leaking sensitive user data to the LLM. Version 0.225.9 fixes the issue.

Vendor

Zed

Product

Zed

CWE

CWE-59

Yayın Tarihi

2026-02-26 00:16:27

Güncelleme

2026-03-05 16:10:10

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-59 Zed HIGH Zed 2026

Referanslar

https://github.com/zed-industries/zed/security/advisories/GHSA-786m-x2vc-5235

Benzer Kayıtlar

High

CVE-2026-27976

Zed, a code editor, has an extension installer allows tar/gzip downloads. Prior to version 0.224.4, the tar extractor (`…

High

CVE-2026-27800

Zed, a code editor, has a Zip Slip (Path Traversal) vulnerability exists in its extension archive extraction functionali…

Medium

CVE-2026-25805

Zed is a multiplayer code editor. Prior to 0.219.4, Zed does not show with which parameters a tool is being invoked, whe…

High

CVE-2025-68432

Zed, a code editor, has an aribtrary code execution vulnerability in versions prior to 0.218.2-pre. The Zed IDE loads La…

High

CVE-2025-68433

Zed, a code editor, has an aribtrary code execution vulnerability in versions prior to 0.218.2-pre. The Zed IDE loads Mo…