Cursor and Windsurf outdated Chromium/V8 builds multiple vulnerabilities security flaw (CVE-2025-7656)
Vulnerability
Summary
Hide ▲
Show ▼
Researchers confirmed that outdated Chromium/V8 builds in Cursor and Windsurf expose an estimated 1.8 million developers to 94+ patched vulnerabilities. A proof-of-concept for CVE-2025-7656 shows the exposure can be reached through a deeplink and can crash the renderer. The same flaw path may also enable arbitrary code execution in a real attack.
Related Happenings
Everest Forms Pro CVE-2026-3300 active exploitation wave
Exploitation Wave
H score87
First: 05.06.2026 11:38
Last: 05.06.2026 11:38
Sources 1
About this happening:
Active exploitation of **CVE-2026-3300** in **Everest Forms Pro** is driving **complete site compromise** risk for WordPress sites. Attackers have been using the flaw for arbitrar...
Everest Forms Pro CVE-2026-3300 active exploitation wave
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-3300** in **Everest Forms Pro** is driving **complete site compromise** risk for WordPress sites. Attackers have been using the flaw for arbitrar...
ExploitBench benchmark shows frontier AI models can stage Chrome exploit chains against vulnerable V8 builds
Technical Analysis
H score16
First: 04.06.2026 16:00
Last: 04.06.2026 16:00
Sources 1
About this happening:
Bugcrowd’s **ExploitBench** now shows frontier AI models can progress through staged **Google Chrome** exploit chains, raising the risk of faster **AI-assisted exploit development...
ExploitBench benchmark shows frontier AI models can stage Chrome exploit chains against vulnerable V8 builds
Technical AnalysisAbout this happening: Bugcrowd’s **ExploitBench** now shows frontier AI models can progress through staged **Google Chrome** exploit chains, raising the risk of faster **AI-assisted exploit development...
Chromium JavaScript background RCE flaw
Vulnerability
H score16
First: 21.05.2026 21:13
Last: 21.05.2026 21:13
Sources 1
About this happening:
The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...
Chromium JavaScript background RCE flaw
VulnerabilityAbout this happening: The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...
ChromaDB Python API exposure mitigation (CVE-2026-45829)
Advisory/Mitigation
H score25
First: 20.05.2026 01:25
Last: 20.05.2026 01:25
Sources 1
About this happening:
**HiddenLayer** urged **ChromaDB** users to harden exposed deployments because **CVE-2026-45829** can still enable code execution on the **Python FastAPI** server. Until patch sta...
ChromaDB Python API exposure mitigation (CVE-2026-45829)
Advisory/MitigationAbout this happening: **HiddenLayer** urged **ChromaDB** users to harden exposed deployments because **CVE-2026-45829** can still enable code execution on the **Python FastAPI** server. Until patch sta...
Cursor IDE MCP deeplink code execution security flaw
Vulnerability
H score37
First: 17.03.2026 17:00
Last: 17.03.2026 17:00
Sources 1
About this happening:
A **Cursor IDE** flaw in **MCP deeplinks** can let crafted installation links trigger **arbitrary commands** or install **malicious components** under some user-approval and confi...
Cursor IDE MCP deeplink code execution security flaw
VulnerabilityAbout this happening: A **Cursor IDE** flaw in **MCP deeplinks** can let crafted installation links trigger **arbitrary commands** or install **malicious components** under some user-approval and confi...
Timeline
-
21.10.2025 22:00 1 articles · 8mo ago
Cursor and Windsurf remain on outdated Chromium/V8 builds
Technical Analysis UpdateCursor and Windsurf shipped Electron-based IDE releases rooted in older VS Code and Chromium 132.0.6834.210 as of 2025-03-21, leaving their bundled Chromium and V8 stack exposed to at least 94 known CVEs already patched upstream.
Show sources
- Cursor, Windsurf IDEs riddled with 94+ n-day Chromium vulnerabilities — www.bleepingcomputer.com — 21.10.2025 22:00
-
21.10.2025 22:00 2 articles · 8mo ago
Ox Security discloses CVE-2025-7656 exposure in Cursor and Windsurf
Initial DisclosureOn October 12, Ox Security disclosed that Cursor and Windsurf could be driven through a deeplink to a remote URL hosting exploit payloads, where JavaScript can trigger CVE-2025-7656 and crash the renderer; the researchers said arbitrary code execution is also possible, estimated 1.8 million developers are exposed, and Cursor called the report out of scope while Windsurf did not respond by 2025-10-21.
Show sources
- Cursor, Windsurf IDEs riddled with 94+ n-day Chromium vulnerabilities — www.bleepingcomputer.com — 21.10.2025 22:00
- Cursor, Windsurf IDEs riddled with 94+ n-day Chromium vulnerabilities — www.bleepingcomputer.com — 21.10.2025 22:00