CVE Catalog

CVE-2026-48124

HighCVSS 8.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

3th percentile - higher than 3% of all known CVEs

Summary

Cursor is a code editor designed for programming with AI. In versions prior to 3.0.0, Cursor Desktop could execute workspace-defined hook commands from .claude/settings.local.json without dedicated user approval.

Risk Assessment

A malicious file created by a workspace or agent could configure hooks that run local commands in the user's context, potentially leading to sandbox escape, persistence, or local data compromise.

Recommendation

It is recommended to upgrade to version 3.0.0 to mitigate this vulnerability and secure the system against potential attacks.

Original NVD description (English source)

Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious workspace or agent-created file could configure hooks that run local commands in the user's context when an agent turn ends. This could allow sandbox escape, persistence across turns, local data access, or follow-on compromise. This issue has been fixed in version 3.0.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS