{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-11T03:15:52.780","vulnerabilities":[{"cve":{"id":"CVE-2026-26268","sourceIdentifier":"security-advisories@github.com","published":"2026-02-13T17:16:14.227","lastModified":"2026-02-18T17:59:35.067","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Cursor is a code editor built for programming with AI. Sandbox escape via writing .git configuration was possible in versions prior to 2.5. A malicious agent (ie prompt injection) could write to improperly protected .git settings, including git hooks, which may cause out-of-sandbox RCE next time they are triggered. No user interaction was required as Git executes these commands automatically. Fixed in version 2.5."},{"lang":"es","value":"Cursor es un editor de código diseñado para programar con IA. El escape de la sandbox mediante la escritura de la configuración .git era posible en versiones anteriores a la 2.5. Un agente malicioso (es decir, inyección de prompt) podría escribir en configuraciones .git protegidas de forma inadecuada, incluyendo los git hooks, lo que podría causar RCE fuera de la sandbox la próxima vez que se activen. No se requería interacción del usuario, ya que Git ejecuta estos comandos automáticamente. Corregido en la versión 2.5."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H","baseScore":8.0,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.3,"impactScore":6.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.1,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-862"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:anysphere:cursor:*:*:*:*:*:*:*:*","versionEndExcluding":"2.5","matchCriteriaId":"1D4650BA-96CA-44D8-B3E5-B69D13EF7D1D"}]}]}],"references":[{"url":"https://github.com/cursor/cursor/security/advisories/GHSA-8pcm-8jpx-hv8r","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}