Patched in Cursor 3.0, CVE-2026-50548 and CVE-2026-50549 could enable zero-click command execution via hidden instructions.

Patched in Cursor 3.0, CVE-2026-50548 and CVE-2026-50549 could enable zero-click command execution via hidden instructions.

Two high-severity vulnerabilities in Cursor AI editor allowed arbitrary command execution without user interaction. Patch now available in Cursor 3.0.

New vulnerabilities in Cursor IDE expose how prompt injection can bypass AI sandbox protections to enable remote code execution.