Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

Critical Cursor Flaws Allow for Sandbox Escape and Command Execution


Recent vulnerabilities found in Cursor AI code editor have exposed high-profile organizations to command execution attacks. The discovery underscores the need for timely updates and a cautious approach towards AI-powered systems.

  • Critical cursor flaws (CVE-2026-50548 and CVE-2026-50549) have been identified in Cursor version 2.x, allowing attackers to execute arbitrary commands on developer computers.
  • The vulnerabilities exploit a prompt injection vulnerability that allows attackers to inject malicious instructions without user interaction.
  • The flaws are attributed to inadequate sandboxing in Cursor's 2.x line, which can be exploited by attackers to write files outside the intended boundaries.
  • More than half of Fortune 500 companies use Cursor, highlighting the severity of this issue and exposing them to potential attacks.
  • The vulnerabilities were reported on February 19 but not addressed until June 5, when patches for version 3.0 were released.
  • DuneSlide and MCPoison are similar vulnerabilities discovered by Cato AI Labs that exploit similar tactics to escape the sandbox and execute arbitrary commands.



  • The cybersecurity landscape has recently witnessed a significant escalation in vulnerability disclosures, with a particular focus on AI-powered code editors like Cursor. According to recent reports from Cato AI Labs, two critical cursor flaws (CVE-2026-50548 and CVE-2026-50549) have been identified that can allow ordinary-looking prompts to break out of the editor's safety sandbox and run any command on a developer's computer.

    The vulnerabilities were discovered in Cursor version 2.x, with the patches being released as part of version 3.0. It is worth noting that every version prior to 3.0 is affected by these flaws, highlighting the importance of timely software updates for ensuring the security and integrity of critical systems. The fact that more than half of the Fortune 500 companies use Cursor underscores the severity of this issue, as it exposes a large number of high-profile organizations to potential attacks.

    The cursor flaws are attributed to a vulnerability called prompt injection, which allows attackers to inject malicious instructions into the editor without requiring any user interaction. This is made possible by the fact that the sandbox in Cursor's 2.x line does not adequately prevent writes to certain directories, such as system files or configuration files, which can be exploited by an attacker to escape the sandbox and execute arbitrary commands on the developer's computer.

    The attack mechanism is straightforward: an attacker plants instructions inside a normal-looking prompt that is intended for the AI agent to read. This prompt might come from a connected service through the Model Context Protocol (MCP) or a page returned by a web search, which are both legitimate sources of data that Cursor reads on behalf of its users. When the user asks a question in a normal manner, these hidden instructions accompany the request and can be executed without any visible signs of malicious activity.

    The two identified vulnerabilities use similar tactics to achieve their goals. Both bugs exploit the cursor's safety measures by allowing an attacker to write files outside the intended sandbox boundaries. In one case, this involves writing to a command's working folder, which is set as an optional parameter in Cursor's run_terminal_cmd tool. When this parameter is set to a non-default path, the cursor adds it to the allowed-write list without any questions asked.

    The other vulnerability exploits a safety check that Cursor performs when attempting to write files. This involves resolving shortcuts (symlinks) to confirm that their real destination sits within the project directory. However, if an attacker creates a shortcut that points outside this boundary and removes read access from the relevant folder, Cursor will trust the shortcut's in-project path instead of its actual destination. This results in the same kind of escape as in the first vulnerability but through a different door.

    The impact of these vulnerabilities cannot be overstated. Once the sandbox is neutralized, any command executed by the AI agent is run with the privileges of the user, potentially allowing an attacker to gain control over their computer and exploit any connected cloud or SaaS workspaces that the editor is signed into.

    Cato AI Labs reported these flaws on February 19, followed by the immediate rejection of the reports four days later. It wasn't until February 26 that Cursor escalated the issue, triaged the reports, and released patches for both vulnerabilities in version 3.0. The CVE IDs were assigned on June 5.

    This incident highlights a broader pattern of cursor-related vulnerabilities discovered by Cato AI Labs, including CurXecute (CVE-2025-54135) and MCPoison (CVE-2025-54136). These bugs, like DuneSlide, exploit similar tactics to escape the sandbox and execute arbitrary commands on developer computers.

    The fact that DuneSlide has been assigned a severity rating of 9.8 out of 10 underscores its potential impact on the cybersecurity landscape. This highlights an important question for organizations shipping AI-powered agents: whether treating every input as hostile becomes the default in order to mitigate such risks, or whether it remains a patch-by-patch scramble.

    In conclusion, the recent discovery of critical cursor flaws in Cursor AI code editor has exposed the vulnerability of many high-profile organizations to command execution attacks. As Cato AI Labs continues to shed light on similar vulnerabilities in other coding agents and emphasizes the structural nature of this issue, users are urged to update their software as soon as possible and adopt a more cautious approach when working with AI-powered systems.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Critical-Cursor-Flaws-Allow-for-Sandbox-Escape-and-Command-Execution-ehn.shtml

  • https://thehackernews.com/2026/07/critical-cursor-flaws-could-let-prompt.html

  • https://nvd.nist.gov/vuln/detail/CVE-2026-50548

  • https://www.cvedetails.com/cve/CVE-2026-50548/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-50549

  • https://www.cvedetails.com/cve/CVE-2026-50549/


  • Published: Wed Jul 1 19:18:07 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us