Find notable cyber news and cases, enriched with sources, timelines, and signals.

Cursor IDE MCP deeplink code execution security flaw

Vulnerability
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

A Cursor IDE flaw in MCP deeplinks can let crafted installation links trigger arbitrary commands or install malicious components under some user-approval and configuration conditions. The issue, dubbed CursorJack, was shown in controlled testing as of January 19, 2026 and was not automatic. A single click on a crafted link followed by approval of an installation prompt may be enough in some environments. The pathway is especially risky for developers handling API keys, credentials, and source code.

Related Happenings

AI coding assistants GhostApproval symlink security flaw

Vulnerability
H score22 First: 09.07.2026 07:27 Last: 09.07.2026 07:27 Sources 1

About this happening: A **July 8** disclosure identified **GhostApproval**, a **symlink** flaw in **six AI coding assistants** that can redirect approved writes into **~/.ssh/authorized_keys** or **~/....

Cursor local SQLite secret-storage exposing credentials security flaw

Vulnerability
H score34 First: 29.04.2026 18:00 Last: 29.04.2026 18:00 Sources 1

About this happening: A **high-severity** **Cursor** flaw lets installed extensions read secrets stored locally, exposing **API keys** and **session tokens** without user interaction. The weakness stem...

VSCode extensions local file theft and RCE vulnerabilities (multiple vulnerabilities)

Vulnerability
H score60 First: 17.02.2026 23:27 Last: 17.02.2026 23:27 Sources 1

About this happening: **High-to-critical vulnerabilities** in popular **VSCode extensions** can expose developers to **local file theft** and **remote code execution** across software downloaded more t...

Microsoft Copilot Reprompt prompt-injection security flaw

Vulnerability
H score0 First: 14.01.2026 16:00 Last: 14.01.2026 16:00 Sources 1

About this happening: **Reprompt** is a **Microsoft Copilot** prompt-injection flaw that can let a crafted **URL** trigger **invisible data exfiltration** from an authenticated session. The abuse path...

VS Code forks recommend nonexistent Open VSX extensions, enabling namespace-hijack supply-chain risk

Technical Analysis
H score23 First: 06.01.2026 13:25 Last: 06.01.2026 13:25 Sources 1

About this happening: Researchers found that **Cursor**, **Windsurf**, **Google Antigravity**, and **Trae** can recommend **non-existent Open VSX extensions**, creating a **supply-chain risk** if an at...

Timeline

  1. 17.03.2026 17:00 1 articles · 3mo ago

    Cursor IDE MCP deeplink testing reveals code-execution path

    Technical Analysis Update

    Controlled testing on January 19, 2026 showed that Cursor IDE's MCP deeplink handling could be abused by a crafted link that appears legitimate but carries harmful configuration data, and a click followed by installation-prompt approval may let the IDE execute commands with the user's privileges or install malicious components; no zero-click exploitation was observed.

    Show sources
  2. 17.03.2026 17:00 2 articles · 3mo ago

    Proofpoint discloses CursorJack and notifies Cursor

    Initial Disclosure

    On March 17, 2026, Proofpoint publicly disclosed CursorJack, published a proof-of-concept on GitHub, and notified Cursor through its vulnerability-reporting channel after describing the issue as a code-execution path in the Cursor IDE and recommending stronger built-in verification, permission controls, and installation transparency for MCP workflows.

    Show sources