Researchers disclosed two critical vulnerabilities in the Cursor AI code editor, collectively named DuneSlide and tracked as CVE-2026-50548 and CVE-2026-50549, that allow zero-click prompt-injection attacks to escape the IDE sandbox and achieve remote code execution on the underlying operating system. Both flaws carry a CVSS 9.8 rating and affect Cursor versions prior to 3.0, with exploitation enabling arbitrary file writes on a victim’s local system and potential compromise of linked SaaS workspaces.
The attack chain abuses Cursor’s agent terminal command handling through working-directory manipulation and a symlink-based path resolution bypass, allowing attackers to overwrite the cursorsandbox helper and run arbitrary commands with the user’s privileges outside the sandbox. The issues were responsibly disclosed in February 2026 and fixed in Cursor 3.0, released on April 2, 2026; while no active exploitation had been confirmed at publication, reporting warned the technique is highly automatable and organizations were urged to upgrade immediately and review any untrusted prompts or files processed before patching.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Cato AI Labs disclosed technical details of the DuneSlide flaws, explaining that parameter manipulation in sandbox policy generation and symlink-based path resolution issues could enable arbitrary file writes and remote code execution. The disclosure also warned that exploitation could impact both local devices and linked SaaS workspaces.
The two critical Cursor IDE vulnerabilities later dubbed DuneSlide were responsibly disclosed in February 2026. The flaws affect Cursor versions prior to 3.0 and enable sandbox escape and zero-click remote code execution.
The two Cursor vulnerabilities were assigned and published on 2026-06-24 as CVE-2026-50548 and CVE-2026-50549. They were rated critical and described as enabling zero-click prompt-injection-driven compromise of the host system.
Cursor released version 3.0 on 2026-04-02, fixing CVE-2026-50548 and CVE-2026-50549. The update addressed the vulnerabilities that allowed arbitrary file writes, sandbox escape, and code execution outside the IDE sandbox.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
cysecurity.news
Open sourcethreataft.com
Open sourcecyberveille.ch
Open sourcethreataft.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.