What is the CVSS score of CVE-2026-27976?

CVE-2026-27976 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Zed are affected by CVE-2026-27976?

Zed code editor users are vulnerable to arbitrary code execution through malicious tar/gzip files downloaded via the extension installer, with active public exploits available.

Is there a public PoC exploit available for CVE-2026-27976?

Yes, a public proof-of-concept exploit is available for CVE-2026-27976. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-27976?

Within 24 hours: Inventory all Zed installations across the organization and restrict extension installer access via network controls. Within 7 days: Disable the Zed extension installer feature organization-wide or migrate users to alternative code editors with better security controls. Within 30 days: Evaluate vendor patch availability and establish a secure code editor procurement policy.

Zed CVE-2026-27976

HIGH

UNIX Symbolic Link (Symlink) Following (CWE-61)

2026-02-26 security-advisories@github.com

RCE Zed

8.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.8 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 05, 2026 - 16:08 vuln.today

Public exploit code

CVE Published

Feb 26, 2026 - 00:16 nvd

HIGH 8.8

DescriptionGitHub Advisory

Zed, a code editor, has an extension installer allows tar/gzip downloads. Prior to version 0.224.4, the tar extractor (async_tar::Archive::unpack) creates symlinks from the archive without validation, and the path guard (writeable_path_from_extension) only performs lexical prefix checks without resolving symlinks. An attacker can ship a tar that first creates a symlink inside the extension workdir pointing outside (e.g., escape -> /), then writes files through the symlink, causing writes to arbitrary host paths. This escapes the extension sandbox and enables code execution. Version 0.224.4 patches the issue.

AnalysisAI

Zed, a code editor, has an extension installer allows tar/gzip downloads. [CVSS 8.8 HIGH]

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Create tar with symlink pointing outside workdir

Delivery

Trigger extension installation via UI

Exploit

Unpack archive without symlink validation

Execution

Write files through symlink to arbitrary paths

Impact

Execute arbitrary code on host

Access

Create tar with symlink pointing outside workdir

Delivery

Trigger extension installation via UI

Exploit

Unpack archive without symlink validation

Execution

Write files through symlink to arbitrary paths

Impact

Execute arbitrary code on host

Vulnerability AssessmentAI

Exploitation	User must initiate extension installation from attacker-controlled tar/gzip source. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this vulnerability to compromise the affected system.
Remediation	Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Zed installations across the organization and restrict extension installer access via network controls. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-27976 vulnerability details – vuln.today

Back

Zed CVE-2026-27976

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code