DuneSlide: Two Cursor Bugs Turn a Prompt Into a Shell
A pair of 9.8-rated flaws in the AI code editor let a single crafted prompt escape the sandbox and execute arbitrary commands — no user approval required.

Cursor, the AI-first code editor a lot of engineers now leave running all day, just picked up two critical bugs that collapse the distance between "model reads a file" and "attacker runs code on your laptop."
The pair is called DuneSlide. They are tracked as CVE-2026-50548 and CVE-2026-50549, and Cato AI Labs' researchers rate them 9.8 on CVSS. Cursor's own scoring lands at 9.3. Either way: bad.
The important part is what the exploit does not need. No click. No malicious extension. No approval dialog to bulldoze past. A single ordinary-looking prompt — the kind you would paste into the chat pane without a second thought — is enough to break out of the editor's safety sandbox and execute arbitrary commands on the host.
If that sounds familiar, it should. This is the AI-agent version of a classic sandbox escape, with the language model playing the role of a very obliging confused deputy. The model has permission to run tools. The prompt convinces the model to run the wrong tools with the wrong arguments. Guardrails that were supposed to require human confirmation do not fire.
Prompt injection as a category is not new, and I have been careful in this column about calling every LLM misbehavior a "vulnerability." DuneSlide clears the bar comfortably. The delivery vector is data the model was designed to read. The outcome is code execution. That is a security bug, full stop — not a policy tuning issue.
The realistic attack path is indirect injection. An attacker does not need to sit at your keyboard. They need to get their payload into something Cursor will chew on: a README in a dependency, a comment in an issue, a snippet of documentation the agent fetches, a file the user drags into context. Anything the model treats as input becomes a potential trigger.
For developers running Cursor against untrusted repos, that threat model is uncomfortable.
What to do now:
- Update Cursor to the patched build as soon as it is available from the vendor and confirm the version, not just the update prompt.
- Treat any repo, dependency, or web-fetched context you point an agent at as untrusted input, the same way you would treat a file uploaded to a web app.
Longer term, this is another data point in an argument the AI-tools industry keeps trying to skip: agentic editors need the same kind of capability boundaries browsers spent twenty years grinding out. Right now a lot of them are shipping with something closer to a 1998 ActiveX security model, dressed up in a nicer UI.
Expect more DuneSlides.



