Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Zed Code Editor Extension Installer Allows Arbitrary File Writes
CVE-2026-27976
Summary
Before a software update, Zed's extension installer had a flaw that allowed malicious extensions to write files to any location on the host system, potentially allowing an attacker to execute code. This issue has been fixed in version 0.224.4, so you should update Zed to this version or later. If you can't update right away, consider disabling extension downloads or using a different code editor.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| zed | zed | <= 0.224.4 | – |
Original title
Zed, a code editor, has an extension installer allows tar/gzip downloads. Prior to version 0.224.4, the tar extractor (`async_tar::Archive::unpack`) creates symlinks from the archive without valida...
Original description
Zed, a code editor, has an extension installer allows tar/gzip downloads. Prior to version 0.224.4, the tar extractor (`async_tar::Archive::unpack`) creates symlinks from the archive without validation, and the path guard (`writeable_path_from_extension`) only performs lexical prefix checks without resolving symlinks. An attacker can ship a tar that first creates a symlink inside the extension workdir pointing outside (e.g., `escape -> /`), then writes files through the symlink, causing writes to arbitrary host paths. This escapes the extension sandbox and enables code execution. Version 0.224.4 patches the issue.
nvd CVSS3.1
8.8
Vulnerability type
CWE-61
- https://github.com/zed-industries/zed/security/advisories/GHSA-59p4-3mhm-qm3r Vendor Advisory Exploit Mitigation
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026