A flaw was found in zsh prior 5.3.1. There is a vulnerability when in sh compatibility mode if HOME was not set and cd was used with no argument. References: https://sourceforge.net/p/zsh/code/ci/eb783754bdb74377f3cea4ceca9c23a02ea1bf58
(In reply to Laura Pardo from comment #0) > A flaw was found in zsh prior 5.3.1. The commit you refer to landed (217 commits) _after_ the 5.3.1 release.
fixed in zsh-5.3.1-7.fc26
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3073 https://access.redhat.com/errata/RHSA-2018:3073