CVE-2026-27800
Published: 26 February 2026
Summary
CVE-2026-27800 is a high-severity Path Traversal (CWE-22) vulnerability in Zed Zed. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Boot or Logon Autostart Execution (T1547); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Zip Slip enables arbitrary file write outside extension sandbox after user installs malicious ZIP (T1204.002 prerequisite); directly supports dropping autostart files (T1547), overwriting binaries/configs (T1554), or placing hijack payloads (T1574).
NVD Description
Zed, a code editor, has a Zip Slip (Path Traversal) vulnerability exists in its extension archive extraction functionality prior to version 0.224.4. The `extract_zip()` function in `crates/util/src/archive.rs` fails to validate ZIP entry filenames for path traversal sequences (e.g., `../`). This…
more
allows a malicious extension to write files outside its designated sandbox directory by downloading and extracting a crafted ZIP archive. Version 0.224.4 fixes the issue.
Deeper analysisAI
CVE-2026-27800 is a Zip Slip path traversal vulnerability in the Zed code editor, affecting versions prior to 0.224.4. The issue resides in the `extract_zip()` function within `crates/util/src/archive.rs`, which does not properly validate ZIP entry filenames against path traversal sequences such as `../`. This flaw enables malicious ZIP archives to extract files beyond the intended sandbox directory for extensions. The vulnerability is rated 7.4 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N) and maps to CWE-22.
An attacker can exploit this vulnerability by crafting a malicious ZIP archive disguised as a legitimate Zed extension. Users must be tricked into downloading and installing the extension via user interaction, such as clicking a link from an untrusted source. Successful exploitation allows the attacker to write arbitrary files outside the extension's sandbox, potentially overwriting critical files and leading to integrity violations like configuration changes or persistence mechanisms, though no direct confidentiality or availability impacts are noted.
The official Zed security advisory at https://github.com/zed-industries/zed/security/advisories/GHSA-v385-xh3h-rrfr details the issue and confirms that upgrading to version 0.224.4 resolves the vulnerability by implementing proper path validation during ZIP extraction. Security practitioners should advise users to update Zed immediately and avoid installing extensions from untrusted sources.
Details
- CWE(s)