CVE-2026-26268 – Cursor sandbox escape via Git hooks

CVE ID : CVE-2026-26268

Published : Feb. 13, 2026, 5:16 p.m. | 1 hour, 13 minutes ago

Description : Cursor is a code editor built for programming with AI. Sandbox escape via writing .git configuration was possible in versions prior to 2.5. A malicious agent (ie prompt injection) could write to improperly protected .git settings, including git hooks, which may cause out-of-sandbox RCE next time they are triggered. No user interaction was required as Git executes these commands automatically. Fixed in version 2.5.

Severity: 8.0 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…