Zed: >> Zed >> 0.228.0 Security Vulnerabilities
Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash arithmetic expansion $((...)), allowing execution of arbitrary commands nested inside an allowlisted command like echo. This vulnerability is fixed in 0.229.0.
CVSS Score
8.6
EPSS Score
0.002
Published
2026-05-28
Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash variable expansion chaining (${var@P}), allowing arbitrary command execution under an allowlisted command prefix. This vulnerability is fixed in 0.229.0.
CVSS Score
6.4
EPSS Score
0.004
Published
2026-05-28
Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed by prepending environment variable assignments to allowlisted commands, hijacking program behavior (e.g., PAGER) to execute arbitrary code. This vulnerability is fixed in 0.229.0.
CVSS Score
8.6
EPSS Score
0.002
Published
2026-05-28