Cato AI Labs disclosed two critical vulnerabilities in Cursor, a popular AI code editor used by developers. The flaws, tracked as CVE-2026-50548 and CVE-2026-50549 and collectively named DuneSlide, carry CVSS scores of 9.8 and 9.3 respectively.

An attacker exploiting these vulnerabilities can inject a malicious prompt into Cursor that breaks the editor's safety sandbox and executes arbitrary commands on a developer's machine. The attack requires no user interaction. A developer viewing a seemingly benign code snippet or prompt triggers the exploit automatically.

The vulnerabilities stem from insufficient input validation in Cursor's prompt processing logic. An attacker crafts specially formatted input that bypasses the sandbox restrictions, allowing execution of shell commands with the privileges of the user running Cursor. This grants full system access.

The risk affects any developer using Cursor who processes untrusted code or prompts. An attacker could embed the malicious prompt in a GitHub repository, code snippet, documentation, or any platform where developers copy-paste content into Cursor. Once executed, the attacker gains code execution on the developer's workstation, potentially compromising credentials, stealing source code, installing malware, or pivoting to corporate networks.

Cursor developers must patch immediately. Users should update to the latest version addressing CVE-2026-50548 and CVE-2026-50549. Until patching completes, developers should avoid loading untrusted code into Cursor and disable automatic prompt execution features if available.

This vulnerability class represents a growing threat in AI-assisted development tools. As more developers rely on AI code editors, attackers increasingly target the human-machine interface layer where validation gaps exist. Cursor's sandbox escape demonstrates that AI tooling vendors must implement robust isolation mechanisms and validate all external input before processing, regardless