CVE-2026-31854
Cursor Affected by Arbitrary Code Execution via Prompt Injection and Whitelist Bypass
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Cursor is a code editor built for programming with AI. Prior to 2.0 ,if a visited website contains maliciously crafted instructions, the model may attempt to follow them in order to “assist” the user. When combined with a bypass of the command whitelist mechanism, such indirect prompt injections could result in commands being executed automatically, without the user’s explicit intent, thereby posing a significant security risk. This vulnerability is fixed in 2.0.
| CWE | CWE-78 |
| Vendor | cursor |
| Product | cursor |
| Published | Mar 11, 2026 |
| Last Updated | Mar 11, 2026 |
Stay Ahead of the Next One
Get instant alerts for cursor cursor
Be the first to know when new unknown vulnerabilities affecting cursor cursor are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
cursor / cursor
< 2.0