Description
Improper neutralization of special elements used in an OS command ('command injection') in Cursor allows an unauthorized attacker to execute commands that are outside of those specified in the allowlist, resulting in arbitrary code execution.
References (1)
Core 1
Core References
Various Sources
https://hiddenlayer.com/sai_security_advisor/2025-11-cursor/
Scores
CVSS v3
9.8
EPSS
0.0123
EPSS Percentile
64.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (1)
cursor/cursor
1.3.4 - 2.0
Published
Nov 26, 2025
Tracked Since
Feb 18, 2026