Vibe Coding
CVE-2026-30615: Prompt-Injection RCE in Windsurf 1.9544.26
A newly catalogued prompt-injection vulnerability (CVE-2026-30615) in Windsurf 1.9544.26 lets remote attackers execute arbitrary commands on a victim's system by smuggling instructions into content the agent processes. It lands amid a wider June 2026 MCP/agent security wave in which nine separate CVEs were traced to broken OAuth flows. Builders running Windsurf/Devin-Desktop agents should update and treat all untrusted file and web content as potential injection vectors.
Source
↳ Follow the thread