CVE-2026-48731
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk39th percentile - higher than 39% of all known CVEs
Summary
Warp, an agentic development environment, contains a command injection issue in the Linux external editor launcher. Versions from 0.2024.02.20.08.01.stable_01 to 0.2026.05.06.15.42.stable_01 allow execution of malicious code by opening an attacker-controlled file.
Risk Assessment
An attacker can exploit this vulnerability to execute arbitrary commands in the context of the local user, posing a significant security risk to the system.
Recommendation
It is recommended to update Warp to version 0.2026.05.06.15.42.stable_01 to mitigate this vulnerability.
Original NVD description (English source)
Warp is an agentic development environment. From 0.2024.02.20.08.01.stable_01 until 0.2026.05.06.15.42.stable_01, Warp contains a command injection issue in the Linux external editor launcher. Warp expanded freedesktop .desktop Exec templates for affected editor integrations and executed the expanded command through a shell. A user who opens an attacker-controlled local file path through an affected external editor or system-default editor route can cause shell syntax embedded in that path to execute as the local user. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

