Skip to main content

Cursor EUVDEUVD-2026-39537

| CVE-2026-50548 CRITICAL
Path Traversal (CWE-22)
2026-06-25 GitHub_M
9.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.6 CRITICAL

Network-delivered malicious agent content with low complexity and no auth (PR:N), but a user must invoke the agent (UI:R); sandbox escape to host execution is a scope change (S:C) with full C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 20:03 EUVD
Analysis Generated
Jun 25, 2026 - 19:17 vuln.today

DescriptionCVE.org

Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default, and the sandbox grants write access to the command's working directory. A flaw was identified in how the agent could modify the working_directory parameter, which could cause the sandbox to include writable paths outside the intended workspace. A malicious agent could set working_directory to a sensitive location and write arbitrary files outside the workspace under the user's privileges. This enables non-sandboxed Remote Code Execution - for example by overwriting the cursorsandbox helper so later commands run unsandboxed - with no user interaction beyond a benign prompt. This vulnerability is fixed in 3.0.

AnalysisAI

Sandbox escape leading to non-sandboxed remote code execution affects the Cursor AI code editor prior to version 3.0, where agent terminal commands run in a sandbox that grants write access to the command's working directory. By manipulating the working_directory parameter, a malicious or prompt-injected agent can cause the sandbox to expose writable paths outside the intended workspace, then overwrite the cursorsandbox helper so subsequent commands execute outside the sandbox entirely. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Influence agent via untrusted prompt/repo
Delivery
Set working_directory to sensitive path
Exploit
Sandbox exposes writable external path
Execution
Overwrite cursorsandbox helper
Persist
Later command runs unsandboxed
Impact
Execute arbitrary code as user

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to be running Cursor prior to 3.0 with agent terminal command execution in its default sandbox mode (the sandbox that grants write access to the command's working directory). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N, VC/VI/VA:H) yields 9.3 and models full unauthenticated network-reachable compromise with high impact - consistent with the described arbitrary file write and resulting RCE under the user's privileges. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A developer uses Cursor's agent on an attacker-influenced repository or follows an attacker-supplied prompt; the agent issues a terminal command whose working_directory is set to a sensitive path outside the workspace. The sandbox then permits writing there, and the agent overwrites the cursorsandbox helper so the next command runs unsandboxed with the user's privileges, achieving full RCE. …
Remediation Vendor-released patch: upgrade to Cursor 3.0, which fixes the working_directory path-traversal that allowed the sandbox to include writable paths outside the workspace; this is the primary and authoritative fix per the GitHub Security Advisory GHSA-3p48-7v9f-v5cw (https://github.com/cursor/cursor/security/advisories/GHSA-3p48-7v9f-v5cw). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all instances of Cursor AI deployed across the organization and document current versions in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Cursor

View all
CVE-2026-22708 CRITICAL
9.8 Jan 14

Cursor AI code editor before 2.3 allows prompt injection to bypass the Agent's Allowlist mode. Shell built-ins can execu

CVE-2026-50549 CRITICAL
9.3 Jun 25

Sandbox escape leading to non-sandboxed remote code execution in Cursor (the AI code editor) prior to version 3.0, where

CVE-2025-61592 HIGH
8.8 Oct 03

Cursor is a code editor built for programming with AI. In versions 1.7 and below, automatic loading of project-specific

CVE-2025-61591 HIGH
8.8 Oct 03

Cursor is a code editor built for programming with AI. In versions 1.7 and below, when MCP uses OAuth authentication wit

CVE-2026-31854 HIGH
8.8 Mar 11

Cursor is a code editor built for programming with AI. versions up to 2.0 is affected by os command injection.

CVE-2026-48124 HIGH
8.5 Jun 15

Unauthorized hook command execution in Cursor Desktop versions prior to 3.0.0 allows a malicious workspace to silently r

CVE-2025-59944 HIGH
8.0 Oct 03

Cursor is a code editor built for programming with AI. Versions 1.6.23 and below contain case-sensitive checks in the wa

CVE-2026-26268 HIGH
8.0 Feb 13

Cursor versions before 2.5 allow sandbox escape through improper .git configuration file protections, enabling malicious

CVE-2026-61613 HIGH
7.7 Jul 15

Server-side request forgery leading to code execution in Cursor's browser-enabled Cloud Agent lets attacker-controlled w

CVE-2025-61590 HIGH
7.5 Oct 03

Cursor is a code editor built for programming with AI. Versions 1.6 and below are vulnerable to Remote Code Execution (R

CVE-2025-61593 HIGH
7.1 Oct 03

Cursor is a code editor built for programming with AI. In versions 1.7 and below, a vulnerability in the way Cursor CLI

CVE-2025-61589 MEDIUM
5.9 Oct 03

Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid (a to render diagrams) allows

Share

EUVD-2026-39537 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy