Home / Vulnerability Intelligence / CVE-2026-27976

CVE-2026-27976 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: February 27, 2026

Zed - Path Traversal & Remote Code Execution

Published: February 26, 2026Updated: February 27, 2026Remote Exploitable

Overview

Zed code editor < 0.224.4 contains a path traversal caused by improper symlink validation in tar extraction, letting attackers write files outside the extension sandbox and execute code, exploit requires crafted tar archive.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 4.2%(Probability of exploitation in next 30 days)

Impact

Attackers can write files outside the sandbox, leading to arbitrary code execution and full system compromise.

Mitigation

Update to version 0.224.4 or later.

References

https://github.com/zed-industries/zed/security/advisories/GHSA-59p4-3mhm-qm3r

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 26, 2026

🟠 CVE-2026-27976 - High (8.8) Zed, a code editor, has an extension installer allows tar/gzip downloads. Prior to version 0.224.4, the tar extractor (`async_tar::Archive::unpack`) creates symlinks from the archive without validation, and the path guard (`writeable_path_from_ext... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27976/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-27976
Severity: High
CVSS Score: 8.8
Type: path_traversal
Status: unconfirmed
EPSS: 4.2%
Social Posts: 1

CWE

CWE-61

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score

4.2%Probability of exploitation in the next 30 days