{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31854", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T19:02:25.011Z", "datePublished": "2026-03-11T17:11:52.028Z", "dateUpdated": "2026-03-11T17:35:37.440Z"}, "containers": {"cna": {"title": "Cursor Affected by Arbitrary Code Execution via Prompt Injection and Whitelist Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/cursor/cursor/security/advisories/GHSA-hf2x-r83r-qw5q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cursor/cursor/security/advisories/GHSA-hf2x-r83r-qw5q"}], "affected": [{"vendor": "cursor", "product": "cursor", "versions": [{"version": "< 2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T17:11:52.028Z"}, "descriptions": [{"lang": "en", "value": "Cursor is a code editor built for programming with AI. Prior to 2.0 ,if a visited website contains maliciously crafted instructions, the model may attempt to follow them in order to \u201cassist\u201d the user. When combined with a bypass of the command whitelist mechanism, such indirect prompt injections could result in commands being executed automatically, without the user\u2019s explicit intent, thereby posing a significant security risk. This vulnerability is fixed in 2.0."}], "source": {"advisory": "GHSA-hf2x-r83r-qw5q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T17:34:57.538712Z", "id": "CVE-2026-31854", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T17:35:37.440Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31854", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-11T17:34:57.538712Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T17:35:28.850Z"}}], "cna": {"title": "Cursor Affected by Arbitrary Code Execution via Prompt Injection and Whitelist Bypass", "source": {"advisory": "GHSA-hf2x-r83r-qw5q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "cursor", "product": "cursor", "versions": [{"status": "affected", "version": "< 2.0"}]}], "references": [{"url": "https://github.com/cursor/cursor/security/advisories/GHSA-hf2x-r83r-qw5q", "name": "https://github.com/cursor/cursor/security/advisories/GHSA-hf2x-r83r-qw5q", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Cursor is a code editor built for programming with AI. Prior to 2.0 ,if a visited website contains maliciously crafted instructions, the model may attempt to follow them in order to \u201cassist\u201d the user. When combined with a bypass of the command whitelist mechanism, such indirect prompt injections could result in commands being executed automatically, without the user\u2019s explicit intent, thereby posing a significant security risk. This vulnerability is fixed in 2.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T17:11:52.028Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31854", "state": "PUBLISHED", "dateUpdated": "2026-03-11T17:35:37.440Z", "dateReserved": "2026-03-09T19:02:25.011Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T17:11:52.028Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:anysphere:cursor:*:*:*:*:*:*:*:*", "matchCriteriaId": "630DF821-F0CF-4B9C-BC9F-EB7B9FD9E4C3", "versionEndExcluding": "2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cursor is a code editor built for programming with AI. Prior to 2.0 ,if a visited website contains maliciously crafted instructions, the model may attempt to follow them in order to \u201cassist\u201d the user. When combined with a bypass of the command whitelist mechanism, such indirect prompt injections could result in commands being executed automatically, without the user\u2019s explicit intent, thereby posing a significant security risk. This vulnerability is fixed in 2.0."}, {"lang": "es", "value": "Cursor es un editor de c\u00f3digo dise\u00f1ado para programar con IA. Antes de 2.0, si un sitio web visitado contiene instrucciones creadas maliciosamente, el modelo podr\u00eda intentar seguirlas para 'asistir' al usuario. Cuando se combina con una omisi\u00f3n del mecanismo de lista blanca de comandos, tales inyecciones de prompt indirectas podr\u00edan resultar en la ejecuci\u00f3n autom\u00e1tica de comandos, sin la intenci\u00f3n expl\u00edcita del usuario, lo que representa un riesgo de seguridad significativo. Esta vulnerabilidad se ha corregido en 2.0."}], "id": "CVE-2026-31854", "lastModified": "2026-03-20T16:34:35.143", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T17:16:58.917", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/cursor/cursor/security/advisories/GHSA-hf2x-r83r-qw5q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cursor", "source": "cna", "vendor": "cursor"}, "product": "cursor", "vendor": "cursor"}], "analysis": {"en": {"generated_at": "2026-03-20T17:32:26.559790+00:00", "value": {"mitigation_remediation": ["Upgrade Cursor to version\u202f2.0 or later."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Code Execution"}, "threat_synthesis": {"affected_systems": "Cursor\u2019s code editor is affected for all releases prior to version 2.0. Users running the product before the 2.0 update are susceptible to this flaw.", "description_and_impact": "The vulnerability is an OS command injection that arises when the model processes malicious instructions presented on a visited website. By bypassing the command whitelist, the system may unknowingly execute those instructions, resulting in arbitrary code execution. The impact includes potential confidentiality, integrity, and availability compromise for the user\u2019s environment.", "risk_and_exploitability": "The CVSS score of 8.7 indicates high severity, while an EPSS score of less than 1\u202f% suggests a low likelihood of current exploitation. It is not listed in the CISA KEV catalog. The likely attack vector is a maliciously crafted web page that a user infects the editor with while it is running, combined with a whitelist bypass that the editor inadvertently permits."}}}}, "created": "2026-03-12T09:57:41.699462+00:00", "updated": "2026-03-23T09:55:21.227625+00:00", "vendors": ["cursor", "cursor$PRODUCT$cursor"]}