Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: cursor (5 articles)Clear

Cursor flaws let a poisoned prompt escape the AI coding sandbox and run commands

Researchers at Cato AI Labs detailed two flaws, dubbed DuneSlide, in the AI code editor Cursor that let a prompt-injection attack break out of the sandbox Cursor uses to contain the commands its agent runs. The attacker never types anything: they plant instructions in content the agent reads on the user's behalf, such as a connected MCP service or a web page. One flaw abuses a working-directory setting to get an attacker path added to the allowed-write list, letting injected commands overwrite the sandbox helper itself and then run with no sandbox. Both are rated 9.8 and are fixed in Cursor 3.0; every earlier version is affected, so users should update.

Check
Confirm Cursor is updated to 3.0 or later on developer machines, and review whether your AI coding agents can be steered by content they read from MCP servers, web pages, or repositories.
Affected
Developers running Cursor versions before 3.0 (CVE-2026-50548 and CVE-2026-50549); a prompt injection hidden in content the agent reads can escape the command sandbox and run arbitrary commands on the machine.
Fix
Update Cursor to 3.0 or later, keep the agent's command sandbox enabled, and treat everything an AI coding agent reads, from MCP tools to web pages, as potentially hostile rather than trusted.

Pwn2Own Berlin Day 2: Microsoft Exchange falls to Orange Tsai's $200K chain, event total tops $908K

The second day of Pwn2Own Berlin 2026 added $385,750 across 15 unique zero-days, bringing the running total to $908,750 across 39 zero-days. The headline was Orange Tsai of DEVCORE chaining three bugs to gain SYSTEM-level remote code execution on Microsoft Exchange Server, taking the $200,000 top prize and pushing his event total past $375,000. Other day-two wins included a Windows 11 integer-overflow LPE, a Red Hat Enterprise Linux for Workstations root, a use-after-free in NVIDIA Container Toolkit, and AI-category exploits against LM Studio, Cursor, OpenAI Codex, and Anthropic Claude Desktop (the last as a collision with a previously known bug).

Check
Track Zero Day Initiative advisories over the next 90 days for the day-two Exchange chain (separate from CVE-2026-42897), Windows 11 LPE, RHEL Workstations escalation, NVIDIA Container Toolkit UAF, and the AI category bugs.
Affected
Fully patched Microsoft Exchange Server, Windows 11, Red Hat Enterprise Linux for Workstations, NVIDIA Container Toolkit, LM Studio, Cursor IDE, OpenAI Codex, and Anthropic Claude Desktop. CVEs not yet assigned; 90-day patching window.
Fix
Pre-stage update windows for Exchange Server, Windows 11, RHEL Workstations, and the AI developer tools listed. Where Cursor, Codex, and Claude Desktop run unsupervised, restrict outbound egress and code-execution scope until patches land.

Google patched a critical 'Gemini CLI' bug that let attackers run code on developer machines through CI pipelines (CVSS 10.0)

Google patched a critical flaw in Gemini CLI, the command-line tool developers use to interact with Gemini models from CI pipelines and dev workstations. CVSS 10.0. The bug let an attacker execute arbitrary code on the developer's machine by feeding crafted input to the CLI - specifically through the same pattern that compromised LiteLLM and several other AI tools recently. A separate but related set of flaws in Cursor, the AI-powered IDE, also enables code execution. The pattern across all these AI dev tools is the same: input validation gaps where attacker-controlled prompts or model output reach a shell or code execution path.

Check
Upgrade Gemini CLI on every developer machine and CI runner today, and update Cursor to the latest version through the in-app updater.
Affected
Developers and CI/CD pipelines using Gemini CLI before the May 2026 patch. Cursor IDE users on versions before the recent security release. The broader pattern affects every AI command-line tool and IDE extension that processes untrusted input - LiteLLM, LMDeploy, MCP servers, Anthropic's MCP STDIO design, and the npm @validate-sdk/v2 trojan share the same root cause.
Fix
Upgrade Gemini CLI and confirm via 'gemini --version'. Update Cursor through the in-app updater. For CI pipelines, pin Gemini CLI version and rebuild base images. Treat all AI CLI tools as code execution surfaces and run them in sandboxed environments. Audit for any unusual outbound connections from dev machines or CI runners that ran Gemini CLI in the past month.

Attackers planted 73 fake VS Code extensions on Open VSX as 'sleepers' that pretended to be popular tools, then quietly turned malicious

Socket reported 73 newly identified malicious extensions on Open VSX, the marketplace used by VS Code, Cursor, and Windsurf editors. The extensions impersonate popular developer tools - same name, same icon, but published by newly-created GitHub accounts with empty repositories. Instead of being malicious from day one, they sit harmlessly for weeks gathering downloads and trust, then push a 'normal' update that silently installs malware. Six of the 73 extensions have already activated; the rest are still in the sleeper phase. The campaign is part of GlassWorm, an ongoing supply-chain attack family that has been working its way through npm, GitHub, and editor extension marketplaces since 2025.

Check
Check every developer machine and CI runner for editor extensions, verify each publisher matches the official one, and remove anything you can't account for.
Affected
Developers using VS Code, Cursor, Windsurf, or other Open VSX-compatible editors who installed extensions in the past two months. Particularly risky if your team installs popular extensions by name without checking publisher namespace, or auto-updates extensions without review. Sleeper extensions look identical to legitimate ones, so visual checks alone are insufficient.
Fix
List installed extensions in each editor and cross-check the publisher against the legitimate one (microsoft.* for Microsoft tools, the original project's GitHub for others). Remove any with newly-created publishers or mismatched namespaces. Disable auto-update on extensions in higher-risk environments. Allowlist approved extensions in managed dev environments. Socket's GlassWorm v2 page tracks the 73 by name.

Anthropic MCP STDIO design flaw exposes 200,000+ AI servers to RCE - 14 CVEs assigned, Anthropic calls it 'expected behavior' (backfill from April 15)

Backfill from April 15: OX Security disclosed an architectural flaw in the official Model Context Protocol SDKs (Python, TypeScript, Java, Rust) that lets attacker-controlled JSON config trigger arbitrary OS commands via the STDIO transport. Roughly 200,000 publicly reachable MCP servers and 150 million SDK downloads inherit the issue. OX has tied 14 CVEs to the same root cause across LiteLLM (patched), Bisheng (patched), Windsurf (zero-click RCE in Cursor-style IDEs, still reported), Flowise, LangFlow, GPT Researcher, Agent Zero, and DocsGPT. Anthropic declined to patch the protocol, calling the behavior 'expected.'

Check
Audit every MCP server installed in Claude Code, Cursor, and other AI dev tools, remove any whose origin you don't recognize, and treat MCP configs as executable code.
Affected
Any tool or service running an Anthropic-SDK MCP server with STDIO transport, especially when add/configure flow is exposed to user input or marketplaces. Confirmed-affected: LiteLLM, LangChain, LangFlow, Flowise, LettaAI, LangBot, DocsGPT, Bisheng, Windsurf, Cursor IDE workflows, GPT Researcher, plus any private MCP server built on the official SDK without input sanitization.
Fix
Patch downstream tools to fixed versions (LiteLLM, Bisheng, Cursor). Block public internet access to services that host MCP add/configure UIs. Treat all external MCP configuration input as untrusted; never let raw user input reach StdioServerParameters. Run MCP services in sandboxes with no production-secret access. Install MCP servers only from verified sources and pin to specific commits.