Critical RCE Vulnerabilities in Cursor IDE Enable Zero-Click Prompt Injection Attacks
ID: e447c2ec-c200-5f94-824d-4046e0283a9f
STIX ID: report--e447c2ec-c200-5f94-824d-4046e0283a9f
Feed Name: ThreatCluster
Threat Score
Cursor AI Labs disclosed two critical zero-click remote code execution vulnerabilities in Cursor IDE (CVE-2026-50548 and CVE-2026-50549) stemming from improper sandbox working-directory and symlink handling; both carry a CVSS score of 9.8. A patch was released in April 2026, but unpatched systems—including many in the Fortune 500—remain vulnerable; users are advised to avoid processing untrusted content until confirmed fixed.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
