logo

Critical RCE Vulnerabilities in Cursor IDE Enable Zero-Click Prompt Injection Attacks

ID: e447c2ec-c200-5f94-824d-4046e0283a9f

STIX ID: report--e447c2ec-c200-5f94-824d-4046e0283a9f

Feed Name: ThreatCluster

Threat Score
80/100

Date Published: 2026-07-01

Date Updated: 2026-07-02

...
...

Cursor AI Labs disclosed two critical zero-click remote code execution vulnerabilities in Cursor IDE (CVE-2026-50548 and CVE-2026-50549) stemming from improper sandbox working-directory and symlink handling; both carry a CVSS score of 9.8. A patch was released in April 2026, but unpatched systems—including many in the Fortune 500—remain vulnerable; users are advised to avoid processing untrusted content until confirmed fixed.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.