cd /news/ai-safety/cato-labs-discloses-critical-rce-fla… · home topics ai-safety article
[ARTICLE · art-47428] src=letsdatascience.com ↗ pub= topic=ai-safety verified=true sentiment=↓ negative

Cato Labs Discloses Critical RCE Flaws In Cursor IDE

Cato AI Labs disclosed two critical remote-code-execution vulnerabilities in Cursor IDE on July 1, 2026, tracked as CVE-2026-50548 and CVE-2026-50549, with a CVSS score of 9.8. The flaws allow zero-click indirect prompt injection to escape Cursor's terminal sandbox and achieve full RCE on a developer's machine. Cursor shipped fixes in version 3.0 on April 2 after Cato reported the issues in February, and Cato is now disclosing similar issues in other coding agents.

read1 min views1 publishedJul 3, 2026

For teams that treat AI coding agents as just another IDE plugin, DuneSlide is a reminder that giving an LLM unsupervised command-execution privileges creates an entirely new class of remote-code-execution attack surface that classical sandboxing was never designed to stop. Cato AI Labs disclosed on July 1, 2026 two critical, 9.8-CVSS vulnerabilities in Cursor IDE, tracked as CVE-2026-50548 and CVE-2026-50549, that let a zero-click, indirect prompt injection, delivered through something as ordinary as an MCP server response or a poisoned web search result, escape Cursor's terminal sandbox and achieve full remote code execution on a developer's machine. Cato said it reported both flaws in February, and Cursor shipped fixes for both in its version 3.0 release on April 2, with CVE IDs formally assigned June 5. Cato, whose researchers describe Cursor as used by over half the Fortune 500, said it is now disclosing similar issues across other popular coding agents.

── more in #ai-safety 4 stories · sorted by recency
── more on @cato ai labs 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/cato-labs-discloses-…] indexed:0 read:1min 2026-07-03 ·