RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: cursor (3 articles)Clear
vulnerability
2026-04-30

Google patched a critical 'Gemini CLI' bug that let attackers run code on developer machines through CI pipelines (CVSS 10.0)

Google patched a critical flaw in Gemini CLI, the command-line tool developers use to interact with Gemini models from CI pipelines and dev workstations. CVSS 10.0. The bug let an attacker execute arbitrary code on the developer's machine by feeding crafted input to the CLI - specifically through the same pattern that compromised LiteLLM and several other AI tools recently. A separate but related set of flaws in Cursor, the AI-powered IDE, also enables code execution. The pattern across all these AI dev tools is the same: input validation gaps where attacker-controlled prompts or model output reach a shell or code execution path.

googlegemini-clicursorai-toolsrcecvss-10ci-pipelinesinput-validationai-supply-chain
Check
Upgrade Gemini CLI on every developer machine and CI runner today, and update Cursor to the latest version through the in-app updater.
Affected
Developers and CI/CD pipelines using Gemini CLI before the May 2026 patch. Cursor IDE users on versions before the recent security release. The broader pattern affects every AI command-line tool and IDE extension that processes untrusted input - LiteLLM, LMDeploy, MCP servers, Anthropic's MCP STDIO design, and the npm @validate-sdk/v2 trojan share the same root cause.
Fix
Upgrade Gemini CLI and confirm via 'gemini --version'. Update Cursor through the in-app updater. For CI pipelines, pin Gemini CLI version and rebuild base images. Treat all AI CLI tools as code execution surfaces and run them in sandboxed environments. Audit for any unusual outbound connections from dev machines or CI runners that ran Gemini CLI in the past month.
threat
2026-04-25

Attackers planted 73 fake VS Code extensions on Open VSX as 'sleepers' that pretended to be popular tools, then quietly turned malicious

Socket reported 73 newly identified malicious extensions on Open VSX, the marketplace used by VS Code, Cursor, and Windsurf editors. The extensions impersonate popular developer tools - same name, same icon, but published by newly-created GitHub accounts with empty repositories. Instead of being malicious from day one, they sit harmlessly for weeks gathering downloads and trust, then push a 'normal' update that silently installs malware. Six of the 73 extensions have already activated; the rest are still in the sleeper phase. The campaign is part of GlassWorm, an ongoing supply-chain attack family that has been working its way through npm, GitHub, and editor extension marketplaces since 2025.

glasswormopen-vsxvs-codecursorwindsurfsleeper-extensionssupply-chainsocketdeveloper-toolsimpersonation
Check
Check every developer machine and CI runner for editor extensions, verify each publisher matches the official one, and remove anything you can't account for.
Affected
Developers using VS Code, Cursor, Windsurf, or other Open VSX-compatible editors who installed extensions in the past two months. Particularly risky if your team installs popular extensions by name without checking publisher namespace, or auto-updates extensions without review. Sleeper extensions look identical to legitimate ones, so visual checks alone are insufficient.
Fix
List installed extensions in each editor and cross-check the publisher against the legitimate one (microsoft.* for Microsoft tools, the original project's GitHub for others). Remove any with newly-created publishers or mismatched namespaces. Disable auto-update on extensions in higher-risk environments. Allowlist approved extensions in managed dev environments. Socket's GlassWorm v2 page tracks the 73 by name.
vulnerability
CVE-2026-30615CVE-2026-30623CVE-2026-33224CVE-2026-22252CVE-2026-22688CVE-2025-49596CVE-2025-54994CVE-2025-54136
2026-04-21

Anthropic MCP STDIO design flaw exposes 200,000+ AI servers to RCE - 14 CVEs assigned, Anthropic calls it 'expected behavior' (backfill from April 15)

Backfill from April 15: OX Security disclosed an architectural flaw in the official Model Context Protocol SDKs (Python, TypeScript, Java, Rust) that lets attacker-controlled JSON config trigger arbitrary OS commands via the STDIO transport. Roughly 200,000 publicly reachable MCP servers and 150 million SDK downloads inherit the issue. OX has tied 14 CVEs to the same root cause across LiteLLM (patched), Bisheng (patched), Windsurf (zero-click RCE in Cursor-style IDEs, still reported), Flowise, LangFlow, GPT Researcher, Agent Zero, and DocsGPT. Anthropic declined to patch the protocol, calling the behavior 'expected.'

anthropicmcpstdioai-supply-chainclaude-codecursorwindsurflangchainbackfillox-security
Check
Audit every MCP server installed in Claude Code, Cursor, and other AI dev tools, remove any whose origin you don't recognize, and treat MCP configs as executable code.
Affected
Any tool or service running an Anthropic-SDK MCP server with STDIO transport, especially when add/configure flow is exposed to user input or marketplaces. Confirmed-affected: LiteLLM, LangChain, LangFlow, Flowise, LettaAI, LangBot, DocsGPT, Bisheng, Windsurf, Cursor IDE workflows, GPT Researcher, plus any private MCP server built on the official SDK without input sanitization.
Fix
Patch downstream tools to fixed versions (LiteLLM, Bisheng, Cursor). Block public internet access to services that host MCP add/configure UIs. Treat all external MCP configuration input as untrusted; never let raw user input reach StdioServerParameters. Run MCP services in sandboxes with no production-secret access. Install MCP servers only from verified sources and pin to specific commits.