Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Malicious repo is network-delivered (AV:N, AC:L, PR:N) but the victim must open the workspace (UI:R); code runs as current user with full C/I/A impact and no scope change (S:U).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Cursor for Windows version 3.2.16 contains a binary planting vulnerability that allows remote attackers to achieve arbitrary code execution by placing a malicious git.exe file in the repository root directory. When a developer clones and opens a crafted repository, Cursor automatically resolves and executes the workspace-resident git.exe during IDE startup and on a recurring timed cadence without any user interaction, running the malicious binary under the privileges of the current user.
AnalysisAI
Arbitrary code execution in Cursor for Windows 3.2.16 lets remote attackers run code on a developer's machine by planting a malicious git.exe in a repository's root directory. Because Cursor resolves and executes the workspace-resident git.exe at IDE startup and on a recurring timer, simply cloning and opening a crafted repository triggers execution under the current user's privileges with no explicit user action beyond opening the project. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to clone and open, in Cursor for Windows 3.2.16, a repository that contains an attacker-supplied git.exe in the repository root directory; the vulnerable behavior is Cursor automatically resolving the workspace-resident git.exe during IDE startup and on a recurring timed cadence. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H, base 8.7) reflects network-delivered content, low complexity, no privileges, and passive user interaction, with high impact to confidentiality, integrity, and availability but no scope change to other systems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes an attractive-looking repository (a sample project, coding challenge, or dependency) containing a malicious git.exe in its root and lures a developer into cloning and opening it in Cursor for Windows. On IDE startup - and again on the recurring timer - Cursor resolves and executes the planted git.exe with the developer's privileges, giving the attacker code execution with no further interaction. … |
| Remediation | No vendor-released patch identified at time of analysis; no fixed version is present in the provided data, and the Mindgard disclosure title suggests remediation was not yet coordinated. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all Cursor 3.2.16 installations on Windows systems and immediately either uninstall the application or restrict developer access exclusively to internal, controlled repositories until a vendor patch is available. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cursor AI code editor before 2.3 allows prompt injection to bypass the Agent's Allowlist mode. Shell built-ins can execu
Sandbox escape leading to non-sandboxed remote code execution in Cursor (the AI code editor) prior to version 3.0, where
Sandbox escape leading to non-sandboxed remote code execution affects the Cursor AI code editor prior to version 3.0, wh
Cursor is a code editor built for programming with AI. In versions 1.7 and below, automatic loading of project-specific
Cursor is a code editor built for programming with AI. In versions 1.7 and below, when MCP uses OAuth authentication wit
Cursor is a code editor built for programming with AI. versions up to 2.0 is affected by os command injection.
Unauthorized hook command execution in Cursor Desktop versions prior to 3.0.0 allows a malicious workspace to silently r
Cursor is a code editor built for programming with AI. Versions 1.6.23 and below contain case-sensitive checks in the wa
Cursor versions before 2.5 allow sandbox escape through improper .git configuration file protections, enabling malicious
Server-side request forgery leading to code execution in Cursor's browser-enabled Cloud Agent lets attacker-controlled w
Cursor is a code editor built for programming with AI. Versions 1.6 and below are vulnerable to Remote Code Execution (R
Cursor is a code editor built for programming with AI. In versions 1.7 and below, a vulnerability in the way Cursor CLI
Same weakness CWE-426 – Untrusted Search Path
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45178
GHSA-prfr-jc65-hr23