Start your day with intelligence. Get The OODA Daily Pulse.
Two critical remote code execution (RCE) vulnerabilities in Cursor IDE, the AI-power Cato AI Labs has disclosed two flaws, dubbed ” DuneSlide, ” both of which carry a 9.8 CVSS severity score and were assigned CVE-2026-50548 and CVE-2026-50549, allowing attackers to break out of Cursor’s sandbox entirely. The vulnerabilities demonstrate that prompt injection attacks can extend beyond manipulating an LLM’s output and reach into classical code paths never previously considered part of the attack surface. Exploitation lets a threat actor overwrite critical system files, such as the cursorsandbox binary, converting sandboxed terminal commands into fully unsandboxed RCE and compromising both the local machine and connected SaaS workspaces.
Full report : Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run Commands.