CVE-2026-22708

CRITICAL

Anysphere Cursor < 2.3 - Command Injection

Title source: rule

Description

Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user approval. This allows an attacker via indirect or direct prompt injection to poison the shell environment by setting, modifying, or removing environment variables that influence trusted commands. This vulnerability is fixed in 2.3.

References (1)

[Vendor Advisory] https://github.com/cursor/cursor/security/advisories/GHSA-82wg-qcm4-fp2w

Scores

CVSS v3 9.8

EPSS 0.0007

EPSS Percentile 20.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-15 CWE-269 CWE-74 CWE-77 CWE-78 CWE-94

Status published

Products (1)

anysphere/cursor < 2.3

Published Jan 14, 2026

Tracked Since Feb 18, 2026