Cato AI Labs disclosed two critical vulnerabilities in the Cursor AI code editor, dubbed DuneSlide, that can let attackers escape the product’s terminal sandbox and achieve arbitrary code execution through zero-click prompt injection. The flaws, tracked as CVE-2026-50548 and CVE-2026-50549 and rated CVSS 9.8, affect Cursor versions before 3.0. Researchers said malicious instructions hidden in attacker-controlled content—such as poisoned web search results or responses from MCP-connected services—could be ingested by Cursor and trigger exploitation without deliberate user interaction.
The first vulnerability abuses the LLM-controlled working_directory parameter in the run_terminal_cmd tool to write outside the project root, while the second exploits a symlink canonicalization failure that can bypass path validation when destination resolution fails. Researchers showed the bugs could be used to overwrite the cursorsandbox helper and other sensitive files, causing later commands to run with the user’s privileges and potentially exposing the local machine as well as connected cloud and SaaS workspaces. Cursor said the issues were patched in version 3.0, released on April 2, and reports said there is currently no evidence of active exploitation.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Cato Networks reported the two DuneSlide vulnerabilities, CVE-2026-50548 and CVE-2026-50549, to Cursor in February 2026. This vendor notification preceded the April 2 release of Cursor 3.0 containing fixes.
Cato AI Labs disclosed two critical remote code execution vulnerabilities in Cursor IDE, dubbed DuneSlide, that allow prompt injection to escape the sandbox and achieve arbitrary command execution. The flaws are tracked as CVE-2026-50548 and CVE-2026-50549, and the reporting notes no evidence of active exploitation.
The two critical Cursor IDE vulnerabilities, CVE-2026-50548 and CVE-2026-50549, were patched in Cursor version 3.0. The source states Cursor 3.0 was released on April 2 and that versions before 3.0 are affected.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
securityweek.com
Open sourcecybersecuritynews.com
Open sourcethehackernews.com
Open sourcereddit.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.