At a glance: Two sandbox-escape vulnerabilities (CVE-2026-50548, CVE-2026-50549, CVSS 9.8) in Cursor enable remote code execution on the operating system via manipulated prompts — patch available since April.
Security firm Cato Networks has disclosed two critical vulnerabilities in the AI development environment Cursor that allow attackers to bypass the sandbox and execute code directly on the host system — without user confirmation. Versions prior to 3.0 are affected.
Cato Networks has registered the two vulnerabilities, referred to as “DuneSlide,” and assigned them the CVE IDs CVE-2026-50548 and CVE-2026-50549. Both achieve a CVSS score of 9.8 and enable escape from Cursor’s isolated environment to execute commands directly on the underlying operating system. The core problem: Cursor automatically executes terminal commands within the sandbox without requiring prior user confirmation.