Description

Warp is an agentic development environment. From 0.2025.03.05.08.02.stable_00 until 0.2026.05.06.15.42.stable_01, Warp accepts non-inline `OSC 1337;File` payloads from terminal output and materialize the decoded payload as a local file without an additional confirmation step. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

Severity (CVSS)

Base score8.8
SeverityHigh
VersionCVSS 3.1
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Provided byCNA

Weaknesses

  • CWE-20 — CWE-20: Improper Input Validation
  • CWE-73 — CWE-73: External Control of File Name or Path

Affected products

VendorProductVersions
warpdotdevwarp>= 0.2025.03.05.08.02.stable_00, < 0.2026.05.13.09.15.stable_01

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 25 Jun 2026 10:14 UTC.