Critical Cursor AI IDE Vulnerabilities Allow Remote Code Execution via Prompt Injection
Summary
Two critical vulnerabilities (CVE-2026-50548 and CVE-2026-50549) have been discovered in Cursor AI IDE, each with a CVSS score of 9.8. Named DuneSlide, these flaws enable remote code execution outside the IDE sandbox through prompt injection and automatic terminal command execution that bypasses user approval. Attackers can manipulate the sandbox's working_directory allow list by inducing victims to ingest malicious payloads.
Source
Key quotes
· 3 pulledCato Networks reports two critical Cursor vulnerabilities, CVE-2026-50548 and CVE-2026-50549, each with a CVSS score of 9.8, enabling remote code execution outside the IDE sandbox.
The defects are named DuneSlide and abuse automatic terminal command execution inside the sandbox that does not prompt for approval.
A victim can be induced to ingest an attacker-controlled payload that manipulates the sandbox working_directory allow list.
You might also wanna read
Critical Redis Vulnerability (CVE-2025-49844) Allows Remote Code Execution with Maximum CVSS Score
Wiz Research has discovered a critical remote code execution vulnerability (CVE-2025-49844, nicknamed #RediShell) in Redis, the widely used
Critical Redis Security Vulnerability CVE-2025-49844 Allows Remote Code Execution
Redis has identified and fixed a critical security vulnerability (CVE-2025-49844) that allows authenticated users to execute remote code thr
Critical RCE vulnerability CVE-2026-3854 discovered in GitHub's internal git infrastructure
Wiz Research discovered a critical vulnerability (CVE-2026-3854) in GitHub's internal git infrastructure affecting both GitHub.com and GitHu
Critical RCE Vulnerability in OpenClaw AI Assistant (CVE-2026-25253) Allows Data and Key Theft
A technical security analysis reveals a critical remote code execution (RCE) vulnerability (CVE-2026-25253) in OpenClaw, a popular open-sour
OpenCode AI Coding Agent Hit with Critical Remote Code Execution Vulnerability
OpenCode, a popular open-source AI coding agent, was recently hit with a critical CVE (Common Vulnerabilities and Exposures) that allowed fo
GitHub Copilot Vulnerability Enables Remote Code Execution via Prompt Injection
A critical security vulnerability (CVE-2025-53773) in GitHub Copilot allows attackers to achieve remote code execution by placing the AI ass

Comments
Sign in to join the conversation.
No comments yet. Be the first.