Anysphere Cursor vulnerabilities

CVE-2026-31854 [HIGH] CWE-78 CVE-2026-31854: Cursor is a code editor built for programming with AI. Prior to 2.0 ,if a visited website contains m Cursor is a code editor built for programming with AI. Prior to 2.0 ,if a visited website contains maliciously crafted instructions, the model may attempt to follow them in order to “assist” the user. When combined with a bypass of the command whitelist mechanism, such indirect prompt injections could result in commands being executed automatically, wi

CVE-2026-26268 [CRITICAL] CWE-862 CVE-2026-26268: Cursor is a code editor built for programming with AI. Sandbox escape via writing .git configuration Cursor is a code editor built for programming with AI. Sandbox escape via writing .git configuration was possible in versions prior to 2.5. A malicious agent (ie prompt injection) could write to improperly protected .git settings, including git hooks, which may cause out-of-sandbox RCE next time they are triggered. No user interaction was required

CVE-2026-22708 [HIGH] CWE-15 CVE-2026-22708: Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user approval. This allows an attacker via indirect or direct prompt injection to poison the shell envir

CVE-2025-64110 [HIGH] CWE-284 CVE-2025-64110: Cursor is a code editor built for programming with AI. In versions 1.7.23 and below, a logic bug all Cursor is a code editor built for programming with AI. In versions 1.7.23 and below, a logic bug allows a malicious agent to read sensitive files that should be protected via cursorignore. An attacker who has already achieved prompt injection, or a malicious model, could create a new cursorignore file which can invalidate the configuration of pre-exis

CVE-2025-64107 [HIGH] CWE-22 CVE-2025-64107: Cursor is a code editor built for programming with AI. In versions 1.7.52 and below, manipulating in Cursor is a code editor built for programming with AI. In versions 1.7.52 and below, manipulating internal settings may lead to RCE. Cursor detects path manipulation via forward slashes (./.cursor/./././././mcp.json etc.), and requires human approval to complete the operation. However, the same kind of manipulation using backslashes was not correctly d

CVE-2025-64106 [HIGH] CWE-78 CVE-2025-64106: Cursor is a code editor built for programming with AI. In versions 1.7.28 and below, an input valida Cursor is a code editor built for programming with AI. In versions 1.7.28 and below, an input validation flaw in Cursor's MCP server installation enables specially crafted deep-links to bypass the standard security warnings and conceal executed commands from users if they choose to accept the server. If an attacker is able to convince a victim to navig

CVE-2025-64108 [HIGH] CWE-22 CVE-2025-64108: Cursor is a code editor built for programming with AI. In versions 1.7.44 and below, various NTFS pa Cursor is a code editor built for programming with AI. In versions 1.7.44 and below, various NTFS path quirks allow a prompt injection attacker to circumvent sensitive file protections and overwrite files which Cursor requires human approval to overwrite. Modification of some of the protected files can lead to RCE. Must be chained with a prompt injecti

CVE-2025-59944 [CRITICAL] CWE-178 CVE-2025-59944: Cursor is a code editor built for programming with AI. Versions 1.6.23 and below contain case-sensit Cursor is a code editor built for programming with AI. Versions 1.6.23 and below contain case-sensitive checks in the way Cursor IDE protects its sensitive files (e.g., */.cursor/mcp.json), which allows attackers to modify the content of these files through prompt injection and achieve remote code execution. A prompt injection can lead to full RCE

CVE-2025-61590 [HIGH] CVE-2025-61590: Cursor is a code editor built for programming with AI. Versions 1.6 and below are vulnerable to Remo Cursor is a code editor built for programming with AI. Versions 1.6 and below are vulnerable to Remote Code Execution (RCE) attacks through Visual Studio Code Workspaces. Workspaces allow users to open more than a single folder and save specific settings (pretty similar to .vscode/settings.json) for the folders / project. An untitled workspace is automaticall

CVE-2025-61591 [HIGH] CWE-78 CVE-2025-61591: Cursor is a code editor built for programming with AI. In versions 1.7 and below, when MCP uses OAut Cursor is a code editor built for programming with AI. In versions 1.7 and below, when MCP uses OAuth authentication with an untrusted MCP server, an attacker can impersonate a malicious MCP server and return crafted, maliciously injected commands during the interaction process, leading to command injection and potential remote code execution. If chain

CVE-2025-61593 [HIGH] CWE-94 CVE-2025-61593: Cursor is a code editor built for programming with AI. In versions 1.7 and below, a vulnerability in Cursor is a code editor built for programming with AI. In versions 1.7 and below, a vulnerability in the way Cursor CLI Agent protects its sensitive files (i.e. */.cursor/cli.json) allows attackers to modify the content of the files through prompt injection, thus achieving remote code execution. A prompt injection can lead to full RCE through modifying

CVE-2025-61592 [HIGH] CWE-829 CVE-2025-61592: Cursor is a code editor built for programming with AI. In versions 1.7 and below, automatic loading Cursor is a code editor built for programming with AI. In versions 1.7 and below, automatic loading of project-specific CLI configuration from the current working directory (/.cursor/cli.json) could override certain global configurations in Cursor CLI. This allowed users running the CLI inside a malicious repository to be vulnerable to Remote Code Exec

CVE-2025-61589 [MEDIUM] CWE-200 CVE-2025-61589: Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid (a to rend Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid (a to render diagrams) allows embedding images which then get rendered by Cursor in the chat box. An attacker can use this to exfiltrate sensitive information to a third-party attacker controlled server through an image fetch after successfully performing a pro

CVE-2025-54135 [CRITICAL] CWE-78 CVE-2025-54135: Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions below 1.3.9, If the file is a dotfile, editing it requires approval but creating a new one doesn't. Hence, if sensitive MCP files, such as the .cursor/mcp.json file don't already exist in the workspace, an attacker can c

CVE-2025-54130 [CRITICAL] CWE-285 CVE-2025-54130: Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions less than 1.3.9. If the file is a dotfile, editing it requires approval but creating a new one doesn't. Hence, if sensitive editor files, such as the .vscode/settings.json file don't already exist in the workspace, an a

CVE-2025-54136 [HIGH] CWE-78 CVE-2025-54136: Cursor is a code editor built for programming with AI. In versions 1.2.4 and below, attackers can ac Cursor is a code editor built for programming with AI. In versions 1.2.4 and below, attackers can achieve remote and persistent code execution by modifying an already trusted MCP configuration file inside a shared GitHub repository or editing the file locally on the target's machine. Once a collaborator accepts a harmless MCP, the attacker can silently

CVE-2025-54133 [MEDIUM] CWE-78 CVE-2025-54133: Cursor is a code editor built for programming with AI. In versions 1.17 through 1.2, there is a UI i Cursor is a code editor built for programming with AI. In versions 1.17 through 1.2, there is a UI information disclosure vulnerability in Cursor's MCP (Model Context Protocol) deeplink handler, allowing attackers to execute 2-click arbitrary system commands through social engineering attacks. When users click malicious `cursor://anysphere.cursor-dee

CVE-2025-54132 [HIGH] CWE-918 CVE-2025-54132: Cursor is a code editor built for programming with AI. In versions below 1.3, Mermaid (which is used Cursor is a code editor built for programming with AI. In versions below 1.3, Mermaid (which is used to render diagrams) allows embedding images which then get rendered by Cursor in the chat box. An attacker can use this to exfiltrate sensitive information to a third-party attacker controlled server through an image fetch after successfully performing

CVE-2025-54131 [HIGH] CWE-77 CVE-2025-54131: Cursor is a code editor built for programming with AI. In versions below 1.3, an attacker can bypass Cursor is a code editor built for programming with AI. In versions below 1.3, an attacker can bypass the allow list in auto-run mode with a backtick (`) or $(cmd). If a user has swapped Cursor from its default settings (requiring approval for every terminal call) to an allowlist, an attacker can execute arbitrary command execution outside of the allowl