What is the CVSS score of EUVD-2026-32936?

EUVD-2026-32936 has a CVSS 3.1 base score of 8.6 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.

Which versions of Zed Editor are affected by EUVD-2026-32936?

Zed code editor versions prior to 0.227.1 contain a remote command execution vulnerability affecting SSH and WSL terminal functionality that allows attackers to execute arbitrary commands on remote…. A patch is available.

How to fix or mitigate EUVD-2026-32936?

24 hours: Audit all Zed installations and document versions in use across development teams. 7 days: Upgrade all systems to Zed 0.227.1 or later, prioritizing developers with active SSH/WSL remote terminal usage. 30 days: Verify upgrade completion, review project settings on shared development projects for suspicious environment variables, and audit access controls on collaborative projects.

Zed Editor EUVD-2026-32936

| CVE-2026-44461 HIGH

OS Command Injection (CWE-78)

2026-05-28 GitHub_M

Command Injection

8.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 28, 2026 - 18:02 EUVD

Analysis Generated

May 28, 2026 - 17:21 vuln.today

DescriptionNVD

Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key (for example via project terminal settings), shell expansions in the key (such as $(...)) are evaluated by the remote shell when a terminal is opened. This can lead to arbitrary command execution on the remote host under the victim user's account. This vulnerability is fixed in 0.227.1.

AnalysisAI

Remote command execution in Zed code editor versions prior to 0.227.1 occurs when opening SSH or WSL remote terminals because environment variable keys are passed into a shell command string without quoting or validation. An attacker who can influence project terminal settings (for example, through a shared or malicious project) can embed shell expansions such as $(...) into env var keys, achieving arbitrary command execution on the remote host as the victim user when they open a terminal. …

RemediationAI

24 hours: Audit all Zed installations and document versions in use across development teams. 7 days: Upgrade all systems to Zed 0.227.1 or later, prioritizing developers with active SSH/WSL remote terminal usage. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-32936 vulnerability details – vuln.today

Back

Zed Editor EUVD-2026-32936

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code