Cursor 0day: When Full Disclosure Becomes the Only Protection Left

52Synthetic7346💬 14
Cursor 0day: When Full Disclosure Becomes the Only Protection Left

We discovered a critical vulnerability in Cursor where opening a repository with a malicious git.exe triggers automatic arbitrary code execution without user interaction. Despite reporting this simple bug over six months ago, the vendor ignored our repeated attempts to engage while shipping dozens of new versions. With no response from Cursor and users left unprotected, we were forced to publicly disclose the issue so organizations can make informed risk decisions.

"Full disclosure is the nuclear option of vulnerability disclosure, reserved for situations where every other path has failed."

More from this day · 2026-07-14