Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Cursor and Windsurf outdated Chromium/V8 builds multiple vulnerabilities security flaw (CVE-2025-7656)

Vulnerability
First reported
Last updated
Happening score
H score 15
1 unique sources, 1 articles

Summary

Hide ▲

Researchers confirmed that outdated Chromium/V8 builds in Cursor and Windsurf expose an estimated 1.8 million developers to 94+ patched vulnerabilities. A proof-of-concept for CVE-2025-7656 shows the exposure can be reached through a deeplink and can crash the renderer. The same flaw path may also enable arbitrary code execution in a real attack.

Related Happenings

Chromium JavaScript background RCE flaw

Vulnerability
First: 21.05.2026 21:13 Last: 21.05.2026 21:13 Sources 1

About this happening: The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...

Open Happening

ChromaDB Python API exposure mitigation (CVE-2026-45829)

Advisory/Mitigation
First: 20.05.2026 01:25 Last: 20.05.2026 01:25 Sources 1

About this happening: **HiddenLayer** urged **ChromaDB** users to harden exposed deployments because **CVE-2026-45829** can still enable code execution on the **Python FastAPI** server. Until patch sta...

Open Happening

Cursor IDE MCP deeplink code execution security flaw

Vulnerability
First: 17.03.2026 17:00 Last: 17.03.2026 17:00 Sources 1

About this happening: A **Cursor IDE** flaw in **MCP deeplinks** can let crafted installation links trigger **arbitrary commands** or install **malicious components** under some user-approval and confi...

Open Happening

Chromium Blink document.title crash security flaw

Vulnerability
First: 30.10.2025 16:45 Last: 30.10.2025 16:45 Sources 1

About this happening: **Brash** is a **Chromium Blink** vulnerability that can crash **Google Chrome** and other **Chromium-based browsers** in **15-60 seconds** by abusing unthrottled `document.title`...

Open Happening

Adobe Commerce SessionReaper exploitation wave (CVE-2025-54236)

Exploitation Wave
First: 22.10.2025 21:41 Last: 22.10.2025 21:41 Sources 1

About this happening: **Adobe Commerce** is seeing an **active exploitation wave** for **CVE-2025-54236 / SessionReaper**, with **hundreds of attempts** hitting **multiple stores** and many deployments...

Open Happening

Timeline

  1. 21.10.2025 22:00 1 articles · 7mo ago

    Cursor and Windsurf remain on outdated Chromium/V8 builds

    Technical Analysis Update

    Cursor and Windsurf shipped Electron-based IDE releases rooted in older VS Code and Chromium 132.0.6834.210 as of 2025-03-21, leaving their bundled Chromium and V8 stack exposed to at least 94 known CVEs already patched upstream.

    Show sources
    Open in new tab
  2. 21.10.2025 22:00 2 articles · 7mo ago

    Ox Security discloses CVE-2025-7656 exposure in Cursor and Windsurf

    Initial Disclosure

    On October 12, Ox Security disclosed that Cursor and Windsurf could be driven through a deeplink to a remote URL hosting exploit payloads, where JavaScript can trigger CVE-2025-7656 and crash the renderer; the researchers said arbitrary code execution is also possible, estimated 1.8 million developers are exposed, and Cursor called the report out of scope while Windsurf did not respond by 2025-10-21.

    Show sources
    Open in new tab