CVE-2026-48124
Cursor is a code editor built for programming with AI
Published: 2026-06-15 · Last updated: 2026-06-15
Severity and scoring
- CWE
- CWE-829, CWE-94
Description
Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious workspace or agent-created file could configure hooks that run local commands in the user's context when an agent turn ends. This could allow sandbox escape, persistence across turns, local data access, or follow-on compromise. This issue has been fixed in version 3.0.0.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-48017 — DbGate is cross-platform database manager (8.8 HIGH)
- CVE-2026-48836 — Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions (10.0 CRITICAL)
- CVE-2026-39465 — Editor Remote Code Execution (RCE) in Responsive Slider by MetaSlider <= 3.106.0 versions (9.1 CRITICAL)
- CVE-2026-52704 — Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code... (10.0 CRITICAL)
- CVE-2026-12057 — When the application executes the JavaScript script embedded in the PDF within the sandbox, it fails to intercept some dangerous interfac... (8.6 HIGH)