Cyber Resilience

CVE-2026-27800

HighPublic PoC

Published: 26 February 2026

Published
26 February 2026
Modified
04 March 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
EPSS Score 0.0007 20.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27800 is a high-severity Path Traversal (CWE-22) vulnerability in Zed Zed. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Boot or Logon Autostart Execution (T1547); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-27800 is a Zip Slip path traversal vulnerability in the Zed code editor, affecting versions prior to 0.224.4. The issue resides in the `extract_zip()` function within `crates/util/src/archive.rs`, which does not properly validate ZIP entry filenames against path traversal sequences such as `../`. This flaw enables malicious ZIP archives to extract files beyond the intended sandbox directory for extensions. The vulnerability is rated 7.4 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N) and maps to CWE-22.

An attacker can exploit this vulnerability by crafting a malicious ZIP archive disguised as a legitimate Zed extension. Users must be tricked into downloading and installing the extension via user interaction, such as clicking a link from an untrusted source. Successful exploitation allows the attacker to write arbitrary files outside the extension's sandbox, potentially overwriting critical files and leading to integrity violations like configuration changes or persistence mechanisms, though no direct confidentiality or availability impacts are noted.

The official Zed security advisory at https://github.com/zed-industries/zed/security/advisories/GHSA-v385-xh3h-rrfr details the issue and confirms that upgrading to version 0.224.4 resolves the vulnerability by implementing proper path validation during ZIP extraction. Security practitioners should advise users to update Zed immediately and avoid installing extensions from untrusted sources.

EU & UK References

Vulnerability details

Zed, a code editor, has a Zip Slip (Path Traversal) vulnerability exists in its extension archive extraction functionality prior to version 0.224.4. The `extract_zip()` function in `crates/util/src/archive.rs` fails to validate ZIP entry filenames for path traversal sequences (e.g., `../`). This…

more

allows a malicious extension to write files outside its designated sandbox directory by downloading and extracting a crafted ZIP archive. Version 0.224.4 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1547 Boot or Logon Autostart Execution Persistence
Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.
T1554 Compromise Host Software Binary Persistence
Adversaries may modify host software binaries to establish persistent access to systems.
T1574 Hijack Execution Flow Stealth
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs.
Why these techniques?

Zip Slip enables arbitrary file write outside extension sandbox after user installs malicious ZIP (T1204.002 prerequisite); directly supports dropping autostart files (T1547), overwriting binaries/configs (T1554), or placing hijack payloads (T1574).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-44461Same product: Zed Zed
CVE-2026-44463Same product: Zed Zed
CVE-2026-44465Same product: Zed Zed
CVE-2026-27976Same product: Zed Zed
CVE-2026-25805Same product: Zed Zed
CVE-2026-27967Same product: Zed Zed
CVE-2026-20613Shared CWE-22
CVE-2026-30290Shared CWE-22
CVE-2026-22685Shared CWE-22
CVE-2025-67963Shared CWE-22

Affected Assets

zed
zed
≤ 0.224.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted inputs (ZIP entry filenames) to block path traversal sequences such as '../' during extract_zip() processing.

prevent

Enforces that file writes from extension archives are confined to the designated sandbox directory, preventing the unauthorized access that the missing filename checks allow.

detect

Provides integrity verification mechanisms that can detect unauthorized file modifications outside the intended extension directory after a malicious archive is processed.

References