Cato Networks reported two critical flaws in Cursor, tracked as CVE-2026-50548 and CVE-2026-50549, that could let attackers achieve remote code execution on the host operating system outside the IDE sandbox. The issues, dubbed DuneSlide, were patched in Cursor 3.0 after being disclosed in February. #Cursor #CatoNetworks #CVE-2026-50548 #CVE-2026-50549 #DuneSlide
Keypoints
- Two critical Cursor vulnerabilities can lead to remote code execution on the underlying OS.
- The flaws are tracked as CVE-2026-50548 and CVE-2026-50549, with a CVSS score of 9.8.
- One issue abuses automatic terminal command execution and unsafe working directory handling.
- The second issue uses symlink path resolution edge cases to bypass out-of-bounds write protections.
- Cursor 3.0 includes patches for both vulnerabilities.