The Wire
Vibe Coding

Cursor 'DuneSlide' Sandbox-Escape Flaws (CVE-2026-50548/50549, CVSS 9.8) Disclosed

Hard2bitmedium signal

Cato AI Labs disclosed two critical Cursor vulnerabilities dubbed DuneSlide: one abuses the sandbox trusting an agent-chosen working folder to overwrite the sandbox enforcer itself, the other exploits a symlink safety check that trusts the apparent path when link resolution fails. Both rate CVSS 9.8 and enable escape from the agent sandbox to unrestricted command execution. They were patched in Cursor 3.0, so the actionable step is confirming your install is on 3.0+.

Follow the thread

Cursor 'DuneSlide' Sandbox-Escape Flaws (CVE-2026-50548/50549, CVSS 9.8) Disclosed | MindPattern