<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
    <title>RealGround Daily AI Security Briefings</title>
    <link>https://www.realground.com/daily</link>
    <description>Self-updating threat intelligence reporting on prompt injection, agent risks, and model vulnerabilities.</description>
    <language>en-us</language>
    <lastBuildDate>Wed, 08 Jul 2026 16:53:49 GMT</lastBuildDate>
    <atom:link href="https://www.realground.com/rss.xml" rel="self" type="application/rss+xml" />
    
        <item>
            <title><![CDATA[Cursor ‘DuneSlide’ Bugs Show How a Single Prompt Can Escape the IDE and Hit the OS]]></title>
            <link>https://www.realground.com/daily/2026-07-08</link>
            <guid isPermaLink="true">https://www.realground.com/daily/2026-07-08</guid>
            <pubDate>Wed, 08 Jul 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Public reporting describes two critical Cursor vulnerabilities, CVE-2026-50548 and CVE-2026-50549 (“DuneSlide”), that allow a single prompt injection to escape the IDE sandbox and achieve OS-level remote code execution with the developer’s privileges.[8][0] Factually, these flaws are triggered when the agent ingests untrusted content (e.g., MCP responses or web results), enabling arbitrary file writes and command execution outside the terminal sandbox; fixes ship in Cursor 3.0.[0][8] Additional research and prior CVEs (CurXecute, MCPoison, and related MCP handling issues) show that Cursor’s interaction with MCP servers and editor special files has repeatedly allowed prompt-controlled agents to run arbitrary commands or silently persist code execution after a one-time trust decision.[6][7][9] Separate academic work on agentic coding editors reports prompt-injection success rates up to 84% for making tools like Cursor and Copilot execute malicious commands, including credential theft and data exfiltration, underscoring that this is a structural class of failure, not an isolated bug.[2][3] From a RealGround perspective, these incidents collectively confirm that **prompt injection** in]]></description>
            <category>prompt injection</category>
        </item>
        
        <item>
            <title><![CDATA[Cursor DuneSlide Bugs Show How a Single Prompt Can Escape IDE Sandboxes and Hit the OS]]></title>
            <link>https://www.realground.com/daily/2026-07-07</link>
            <guid isPermaLink="true">https://www.realground.com/daily/2026-07-07</guid>
            <pubDate>Tue, 07 Jul 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Public reporting on the Cursor AI code editor’s DuneSlide vulnerabilities (CVE-2026-50548 and CVE-2026-50549) shows that **a single zero‑click prompt injection** can escape the IDE’s sandbox and execute arbitrary commands with OS‑level privileges on a developer machine in versions prior to Cursor 3.0.[8] One described attack path relies on prompt injection hidden in content the agent ingests (MCP server responses, web results, or editor context), allowing arbitrary file writes and remote code execution under the user’s privileges.[1][7][8] Separate research and advisories on CurXecute/MCPoison and related Cursor flaws confirm a broader pattern: agentic coding editors routinely allow prompt-driven workflows to reach terminals, shells, and configuration files, with chained prompt injection and context manipulation enabling silent RCE and persistent compromise.[1][6][7][9] RealGround analysis: these DuneSlide bugs are best understood as a **high‑severity prompt injection and agent‑sandboxing failure**, not just another IDE RCE—attackers can move from a "harmless" natural‑language instruction to full OS compromise without extra clicks, making any AI‑augmented development workflow a cri]]></description>
            <category>prompt injection</category>
        </item>
        
        <item>
            <title><![CDATA[Cursor AI IDE Prompt Injection Flaws Enable Sandbox Escape and OS-Level RCE]]></title>
            <link>https://www.realground.com/daily/2026-07-06</link>
            <guid isPermaLink="true">https://www.realground.com/daily/2026-07-06</guid>
            <pubDate>Mon, 06 Jul 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Public reporting describes multiple critical **prompt injection** vulnerabilities in the Cursor AI code editor that allow a single malicious prompt, often delivered via MCP server responses or other ingested content, to escape the IDE’s sandbox and execute arbitrary commands on the underlying operating system with the user’s privileges.[8][6][7] These issues, including DuneSlide (CVE-2026-50548/50549) and earlier CurXecute/MCPoison flaws, show that indirect prompt injection through external tools and special editor files can turn an AI coding agent into a high-privilege local shell capable of arbitrary file writes and remote code execution.[8][6][7][1] Factually, vendors have released patched versions (e.g., Cursor 3.0+ and 1.3.x) and recommend updating, tightening MCP trust, and enabling stronger workspace trust controls to reduce exploitation risk.[6][8][9] RealGround analysis: this is a systemic **prompt injection and agent-sandboxing** pattern in AI IDEs, where model output drives tool execution, so any untrusted context (MCP, web, repos) can become a stealth RCE vector if command boundaries and business logic are not explicitly constrained.[1][2][3][7] Organizations should tre]]></description>
            <category>prompt injection</category>
        </item>
        
        <item>
            <title><![CDATA[Cursor prompt injection flaws highlight agent sandbox escape risk]]></title>
            <link>https://www.realground.com/daily/2026-07-05</link>
            <guid isPermaLink="true">https://www.realground.com/daily/2026-07-05</guid>
            <pubDate>Sun, 05 Jul 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Public reporting describes critical Cursor vulnerabilities where a single prompt injection can escape the editor sandbox and execute commands on a developer’s machine, with fixes available in Cursor 3.0.[8][1] Separate research on agentic coding editors shows prompt injection can drive unauthorized command execution, credential theft, and data exfiltration, with attack success rates reported as high as 84% in testing.[2] RealGround would treat this as a high-severity prompt-injection issue because the risk is not just malicious text, but untrusted content influencing tool use, file writes, and shell execution in AI-enabled workflows.[1][2][3] The operational concern is broader than Cursor itself: any IDE agent, MCP server, or external content source that can shape model context becomes a potential execution path if trust boundaries are weak.[1][3][4] Organizations should prioritize hardening prompt boundaries, tightening tool permissions, and validating all untrusted inputs before they reach agentic workflows.[3][4]]]></description>
            <category>prompt injection</category>
        </item>
        
        <item>
            <title><![CDATA[Cursor AI IDE prompt injection flaws enable sandbox escape and OS-level code execution]]></title>
            <link>https://www.realground.com/daily/2026-07-04</link>
            <guid isPermaLink="true">https://www.realground.com/daily/2026-07-04</guid>
            <pubDate>Sat, 04 Jul 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Public reporting on the DuneSlide vulnerabilities (CVE-2026-50548 and CVE-2026-50549) in the Cursor AI code editor shows that a **single zero‑click prompt injection** can escape the IDE’s sandbox and execute arbitrary commands with OS‑level privileges on a developer’s machine, affecting all versions prior to Cursor 3.0.[9] Separate vendor advisories and research highlight that Cursor agents can be driven by indirect prompt injection via MCP server responses, editor special files, or malicious repositories, leading to arbitrary file writes and remote command execution under the user’s privileges.[1][4][8][9] These are facts from the disclosed CVEs and technical analyses, which consistently describe prompt injection as the primary attack vector enabling remote code execution in AI‑augmented development workflows.[1][2][4][7][8][9] From a RealGround perspective, this elevates **prompt injection** in agentic IDEs from a model‑output risk to a full endpoint compromise scenario, where seemingly benign content (MCP responses, tasks.json, rules files, web results) can silently steer agents to run high‑privilege commands.[1][3][4][8][9] RealGround analysis is that organizations should treat]]></description>
            <category>prompt injection</category>
        </item>
        
        <item>
            <title><![CDATA[Cursor ‘DuneSlide’ Flaws Turn Single Prompt Into Full OS Compromise Vector]]></title>
            <link>https://www.realground.com/daily/2026-07-03</link>
            <guid isPermaLink="true">https://www.realground.com/daily/2026-07-03</guid>
            <pubDate>Fri, 03 Jul 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Public reporting on the DuneSlide vulnerabilities in the Cursor AI code editor (CVE-2026-50548 and CVE-2026-50549) shows that **a single zero‑click prompt injection can escape Cursor’s sandbox and execute arbitrary commands with OS‑level privileges on a developer machine**, affecting all versions prior to Cursor 3.0.[7][2] These attacks work by hiding malicious instructions in content the agent ingests (e.g., MCP server responses or web results), allowing arbitrary file writes, remote code execution, and full environment compromise under the user’s privileges.[7][1] Additional research and advisories on Cursor and similar agentic coding editors confirm that prompt injection is now a practical, high‑success‑rate path to turning “developer’s AI” into an attacker‑controlled shell, with reported command‑execution success rates up to 84% across tools and scenarios.[3][6] From a RealGround analysis perspective, this is a high‑severity **prompt injection and agent‑sandboxing risk**: IDE agents have direct access to local files, terminals, MCP/CLI integrations, and sometimes secrets, so a single poisoned resource can silently pivot into full OS‑level compromise. RealGround would treat affe]]></description>
            <category>prompt injection</category>
        </item>
        
        <item>
            <title><![CDATA[Cursor Sandbox Flaws Turn Prompt Injection Into Full Host Command Execution]]></title>
            <link>https://www.realground.com/daily/2026-07-02</link>
            <guid isPermaLink="true">https://www.realground.com/daily/2026-07-02</guid>
            <pubDate>Thu, 02 Jul 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Public reporting describes two critical Cursor IDE vulnerabilities, CVE-2026-50548 and CVE-2026-50549, that allow a single malicious prompt to escape the agent’s terminal sandbox and execute arbitrary commands on a developer’s machine, with fixes released in Cursor 3.0.[0] The attack path relies on **prompt injection delivered via content the agent ingests**—such as MCP server responses or web results—to pivot from semantic instructions into arbitrary file writes and remote code execution under the user’s privileges.[0] This aligns with broader research showing prompt injection is now the **top-ranked OWASP LLM risk** and a structural, system-level issue that can override security controls, hijack goals, leak data, and trigger unintended tool use across agents and workflows.[1][5][6] RealGround analysis: this Cursor case demonstrates how prompt injection is no longer just a chatbot integrity problem but a **high‑impact agent and IDE exploitation vector**, where untrusted content interpreted as instructions can directly drive host-level compromise. RealGround would treat this as a high-risk prompt-injection and agent-sandboxing issue that warrants hardening command boundaries, audit]]></description>
            <category>prompt injection</category>
        </item>
        
        <item>
            <title><![CDATA[FortiBleed Credential Cache Drives High-Impact Data Leakage Risk for AI Environments]]></title>
            <link>https://www.realground.com/daily/2026-07-01</link>
            <guid isPermaLink="true">https://www.realground.com/daily/2026-07-01</guid>
            <pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Public reporting on the FortiBleed campaign indicates attackers have compiled more than **70,000–86,000 verified administrator and VPN credentials** for internet-facing Fortinet FortiGate firewalls worldwide, representing roughly half of all exposed devices.[2][4][7] Researchers and CISA warn that control of these perimeter devices enables unauthorized firewall administration, VPN compromise, lateral movement into Active Directory, and data exfiltration from internal networks.[1][2][5][7] Fortinet and CISA recommend immediate termination of all admin/VPN sessions, full credential rotation, MFA enforcement, upgrading to PBKDF2-based credential storage, and locking down management interfaces to trusted networks.[3][4][5] From a RealGround perspective, any AI models, agents, data pipelines, or vector stores reachable from networks behind compromised Fortinet appliances should be treated as at risk for **secondary data leakage**, including exposure of training data, logs, prompts, and operational telemetry that may contain sensitive or regulated information. RealGround analysis further suggests organizations prioritize mapping exposure paths from Fortinet devices into AI workloads, tes]]></description>
            <category>data leakage</category>
        </item>
        
        <item>
            <title><![CDATA[FortiBleed Credential Heist Drives High AI Data Leakage Risk Behind Fortinet Edges]]></title>
            <link>https://www.realground.com/daily/2026-06-30</link>
            <guid isPermaLink="true">https://www.realground.com/daily/2026-06-30</guid>
            <pubDate>Tue, 30 Jun 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Public reporting on the **FortiBleed** campaign indicates attackers have compiled more than 73,000–86,000 verified working credentials for internet‑facing Fortinet FortiGate firewalls and VPNs, representing roughly half of all reachable devices worldwide.[2][4] These stolen admin and SSL VPN credentials enable remote takeover of perimeter devices, manipulation of firewall rules, interception of VPN traffic, and creation of persistent tunnels that provide deep access into internal networks and identity systems such as Active Directory.[1][2][4] Factually, Fortinet and CISA advise immediate session termination, full credential rotation, MFA enforcement, PBKDF2‑based credential storage, and strict lockdown of management interfaces to trusted networks.[3][5] From a RealGround perspective, any AI systems, agents, or data pipelines sitting behind Fortinet appliances face elevated **data leakage** risk: once attackers control the edge, they can pivot into environments hosting models, training data, vector stores, and operational logs to exfiltrate sensitive AI inputs, outputs, and configuration data.[2][4] RealGround analysis is that organizations should assume perimeter and credential co]]></description>
            <category>data leakage</category>
        </item>
        
        <item>
            <title><![CDATA[FortiBleed-driven credential leaks heighten downstream data exposure risk]]></title>
            <link>https://www.realground.com/daily/2026-06-29</link>
            <guid isPermaLink="true">https://www.realground.com/daily/2026-06-29</guid>
            <pubDate>Mon, 29 Jun 2026 00:00:00 GMT</pubDate>
            <description><![CDATA[Public reporting indicates the FortiBleed campaign has compiled more than 86,000 verified working credentials for internet-accessible Fortinet firewalls and VPNs, and post-exploitation activity has included lateral movement into internal environments behind those devices. Fortinet recommends terminating active sessions, resetting admin and VPN passwords, enforcing MFA, upgrading to PBKDF2-based credential storage, and restricting management access to trusted networks. From a RealGround perspective, the main risk is secondary data leakage: if AI systems, data pipelines, or model-access infrastructure sit behind affected perimeter devices, stolen credentials could be used to reach sensitive data or internal AI assets. Organizations should treat perimeter credential compromise as a potential path to model, prompt, log, and data exfiltration, even if the initial issue is outside the AI stack itself. Continuous monitoring for compromised credentials and rapid access revocation are the most relevant near-term controls.]]></description>
            <category>data leakage</category>
        </item>
        
</channel>
</rss>
