Cursor
CVE-2026-31854
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Cursor is a code editor built for programming with AI. Prior to 2.0 ,if a visited website contains maliciously crafted instructions, the model may attempt to follow them in order to “assist” the user. When combined with a bypass of the command whitelist mechanism, such indirect prompt injections could result in commands being executed automatically, without the user’s explicit intent, thereby posing a significant security risk. This vulnerability is fixed in 2.0.
AnalysisAI
Cursor is a code editor built for programming with AI. versions up to 2.0 is affected by os command injection.
Technical ContextAI
This vulnerability (CWE-78: OS Command Injection) affects Cursor is a code editor built for programming with AI.. Cursor is a code editor built for programming with AI. Prior to 2.0 ,if a visited website contains maliciously crafted instructions, the model may attempt to follow them in order to “assist” the user. When combined with a bypass of the command whitelist mechanism, such indirect prompt injections could result in commands being executed automatically, without the user’s explicit intent, thereby posing a significant security risk. This vulnerability is fixed in 2.0.
RemediationAI
Fixed in version 2.0..
Cursor AI code editor before 2.3 allows prompt injection to bypass the Agent's Allowlist mode. Shell built-ins can execu
Sandbox escape leading to non-sandboxed remote code execution in Cursor (the AI code editor) prior to version 3.0, where
Sandbox escape leading to non-sandboxed remote code execution affects the Cursor AI code editor prior to version 3.0, wh
Cursor is a code editor built for programming with AI. In versions 1.7 and below, automatic loading of project-specific
Cursor is a code editor built for programming with AI. In versions 1.7 and below, when MCP uses OAuth authentication wit
Unauthorized hook command execution in Cursor Desktop versions prior to 3.0.0 allows a malicious workspace to silently r
Cursor is a code editor built for programming with AI. Versions 1.6.23 and below contain case-sensitive checks in the wa
Cursor versions before 2.5 allow sandbox escape through improper .git configuration file protections, enabling malicious
Server-side request forgery leading to code execution in Cursor's browser-enabled Cloud Agent lets attacker-controlled w
Cursor is a code editor built for programming with AI. Versions 1.6 and below are vulnerable to Remote Code Execution (R
Cursor is a code editor built for programming with AI. In versions 1.7 and below, a vulnerability in the way Cursor CLI
Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid (a to render diagrams) allows
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today