Windsurf Prompt-Injection RCE: Attacker HTML Can Register a Malicious MCP Server
OX Security·medium signal
A disclosed prompt-injection vulnerability in Windsurf 1.9544.26 lets remote attackers execute arbitrary commands: when the editor processes attacker-controlled HTML, malicious instructions can modify the local MCP configuration and silently register a malicious STDIO MCP server. It underscores treating any externally fetched content as untrusted input to coding agents.