A critical remote code execution (RCE) vulnerability has been identified in the Cursor AI Code Editor that allows an attacker to execute arbitrary commands on a developer’s machine the moment a project folder is opened.
Discovered by the research team at Oasis Security, the flaw exploits a default configuration in Cursor that mirrors Visual Studio Code’s “Workspace Trust” feature but leaves it disabled by default, bypassing any user consent prompts.
https://cyberpress.org/cursor-ai-code-editor-rce-flaw/