{"date":"2026-07-08","headline":"Cursor \u2018DuneSlide\u2019 Bugs Show How a Single Prompt Can Escape the IDE and Hit the OS","mitigation_steps":["Upgrade Cursor to versions that patch DuneSlide (CVE-2026-50548/50549) and earlier MCP vulnerabilities (e.g., CurXecute and MCPoison), and enforce a policy that only fully patched IDE versions may access sensitive code or secrets.[6][8][9]","Treat all MCP servers, browser integrations, and repository content as untrusted: require explicit, per-MCP approval for configuration changes, and restrict MCPs and tools to a least-privilege set of commands (no generic shell where possible).[6][7][9]","Separate instructions from untrusted user or content-derived text with explicit context boundaries, and ensure agents never treat data pulled from repositories, docs, or the web as authoritative system instructions.","Enable and enforce Cursor security controls (such as trust/workspace protections) and open unknown or external repositories in a low-privilege environment or alternate editor for manual triage before allowing AI agents or terminals to execute actions in them.[4][3]","Run adversarial prompt tests against AI-assisted coding workflows (including MCP flows and terminal actions) to verify that prompts embedded in code, READMEs, or server responses cannot coerce the agent into unsafe commands or policy-bypassing changes.[1][2][3]","Log prompt inputs, model decisions, and all tool or shell invocations from AI agents, and require human approval before model-initiated changes affect production codebases, CI/CD pipelines, or infrastructure configurations."],"recommended_services":["Secure AI Agent Build","AI Agent Business Logic Audit","Continuous AI Red Teaming","AI Security Readiness Assessment","AI Policy Generator & Support","AI CISO Advisory"],"risk_category":"prompt injection","source_links":[{"source":"thehackernews.com","title":"Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run Commands","url":"https://thehackernews.com/2026/07/critical-cursor-flaws-could-let-prompt.html"},{"source":"securityweek.com","title":"Critical Gitea Flaw Under Active Exploitation, Researchers Warn","url":"https://www.securityweek.com/critical-gitea-flaw-under-active-exploitation-researchers-warn/"},{"source":"securityweek.com","title":"Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution","url":"https://www.securityweek.com/critical-cursor-ai-ide-flaws-could-lead-to-os-level-remote-code-execution/"},{"source":"securityweek.com","title":"FortiBleed: 86,000 Fortinet Device Credentials Compromised","url":"https://www.securityweek.com/fortibleed-86000-fortinet-device-credentials-compromised/"},{"source":"thehackernews.com","title":"CISA Warns Critical Lantronix EDS5000 Flaw Is Being Actively Exploited","url":"https://thehackernews.com/2026/06/cisa-warns-critical-lantronix-eds5000.html"}],"summary":"Public reporting describes two critical Cursor vulnerabilities, CVE-2026-50548 and CVE-2026-50549 (\u201cDuneSlide\u201d), that allow a single prompt injection to escape the IDE sandbox and achieve OS-level remote code execution with the developer\u2019s privileges.[8][0] Factually, these flaws are triggered when the agent ingests untrusted content (e.g., MCP responses or web results), enabling arbitrary file writes and command execution outside the terminal sandbox; fixes ship in Cursor 3.0.[0][8] Additional research and prior CVEs (CurXecute, MCPoison, and related MCP handling issues) show that Cursor\u2019s interaction with MCP servers and editor special files has repeatedly allowed prompt-controlled agents to run arbitrary commands or silently persist code execution after a one-time trust decision.[6][7][9] Separate academic work on agentic coding editors reports prompt-injection success rates up to 84% for making tools like Cursor and Copilot execute malicious commands, including credential theft and data exfiltration, underscoring that this is a structural class of failure, not an isolated bug.[2][3] From a RealGround perspective, these incidents collectively confirm that **prompt injection** in"}
