Cyber Resilience

CVE-2026-25805

MediumPublic PoC

Published: 10 February 2026

Published
10 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v3.1 6.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0007 20.9th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25805 is a medium-severity Product UI does not Warn User of Unsafe Actions (CWE-356) vulnerability in Zed Zed. Its CVSS base score is 6.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 20.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AU-3 (Content of Audit Records).

Deeper analysis

CVE-2026-25805 affects Zed, a multiplayer code editor, in versions prior to 0.219.4. The vulnerability stems from the application's failure to display the parameters used when invoking tools, both at the time of requesting user allowance and afterward. This lack of visibility (classified under CWE-356) enables potentially unwanted or malicious parameter values to be executed without user awareness. The issue carries a CVSS v3.1 base score of 6.4 (AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

Exploitation requires network access, high privileges (such as those held by a collaborator in a multiplayer session), high attack complexity, and user interaction in the form of granting permission to the tool invocation. An attacker could craft a tool call with malicious parameters, tricking the user into approving it unknowingly, potentially leading to high-impact confidentiality, integrity, and availability violations on the victim's system.

The Zed project patched this in version 0.219.4 by adding expandable details for tool calls, enabling users to inspect parameters before and after invocation. Additional details are available in the GitHub Security Advisory at https://github.com/zed-industries/zed/security/advisories/GHSA-f2g4-87h6-4pxq.

EU & UK References

Vulnerability details

Zed is a multiplayer code editor. Prior to 0.219.4, Zed does not show with which parameters a tool is being invoked, when asking for allowance. Further it does not show after the tool was being invoked, which parameters were used.…

more

Thus, maybe unwanted or even malicious values could be used without the user having a chance to notice it. Patched in Zed Editor 0.219.4 which includes expandable tool call details.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1204 User Execution Execution
An adversary may rely upon specific actions by a user in order to gain execution.
T1078.003 Local Accounts Stealth
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

UI omission of tool parameters (CWE-356) directly enables a collaborator (valid account) to obtain user approval for hidden malicious parameters, resulting in execution via the editor's tool/command interpreter (T1059) after user interaction (T1204).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-44461Same product: Zed Zed
CVE-2026-44463Same product: Zed Zed
CVE-2026-44465Same product: Zed Zed
CVE-2026-27800Same product: Zed Zed
CVE-2026-27976Same product: Zed Zed
CVE-2026-27967Same product: Zed Zed
CVE-2025-3839Shared CWE-356
CVE-2025-2450Shared CWE-356

Affected Assets

zed
zed
≤ 0.219.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires the system to enforce access decisions for tool invocations only after the user has been shown and can review the exact parameters being supplied.

detect

Mandates that audit records capture the full content of each tool invocation, including all parameters, so post-invocation review can reveal malicious values.

prevent

Ensures access-control decisions are made against complete, accurate information (parameters) rather than opaque requests.

References