RCE in Cursor
CVE-2026-48124
Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious worksp…
Vulnerability class: RCE (Remote Code Execution)
Affected products
- Cursor — versions < 3.0.0
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)