LIVE FEED
CVE-2026-50548: Cursor IDE Prompt Injection RCE

CVE-2026-50548: Cursor IDE Prompt Injection RCE

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

Two critical vulnerabilities (CVE-2026-50548 and CVE-2026-50549) in the Cursor AI code editor allow prompt injection attacks delivered via MCP services or web search results to escape the editor's terminal sandbox and execute arbitrary commands on a developer's machine without any user interaction. Both flaws abuse the sandbox's write-permission logic — one through a misconfigured working directory parameter, the other through a symlink-resolution fallback — ultimately allowing overwrite of the sandbox helper binary itself. The attack surface is significant given Cursor's reported adoption across more than half of Fortune 500 companies; all versions prior to 3.0 remain vulnerable.

AGENTIC AIThe Hacker NewsCRITICALCVE-2025-3248: Langflow RCE Enables AutonomousRansomware Attack

CVE-2025-3248: Langflow RCE Enables Autonomous Ransomware Attack

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.8 The Hacker News

Sysdig has documented what it claims is the first end-to-end ransomware attack orchestrated autonomously by an AI agent, attributed to a threat actor tracked as JADEPUFFER. The agent exploited a known remote code execution flaw in Langflow (CVE-2025-3248) to gain initial access, harvest credentials, pivot laterally, and ultimately encrypt and destroy a production database — all without human intervention at the keyboard. The incident demonstrates that AI agents can now lower the skill floor for complex, multi-stage attacks to near zero, representing a qualitative shift in the ransomware threat landscape.

AutoJack: Microsoft AutoGen Studio RCE via MCP WebSocket

AutoJack: Microsoft AutoGen Studio RCE via MCP WebSocket

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 BleepingComputer

A three-flaw vulnerability chain dubbed AutoJack in Microsoft's AutoGen Studio allowed attackers to execute arbitrary commands on a developer's host system by manipulating a browsing AI agent into connecting to a malicious webpage. The attack exploited missing authentication on MCP WebSocket routes combined with unsanitised base64-encoded parameters to launch arbitrary processes. Microsoft confirmed the flaw was patched before any PyPI release, limiting exposure to developers building directly from the main GitHub branch.

Microsoft AutoGen Studio RCE via MCP Bypass

Microsoft AutoGen Studio RCE via MCP Bypass

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 Microsoft Security Blog

Researchers at Microsoft identified a three-stage exploit chain in AutoGen Studio that allows a malicious web page visited by a browsing AI agent to reach the host's local Model Context Protocol (MCP) WebSocket and spawn arbitrary processes. The chain exploits a bypassable origin allowlist, authentication middleware that excluded MCP endpoints, and unsanitised URL-derived command parameters. Although the vulnerable surface was never shipped in a PyPI release, the finding exposes a systemic architectural risk in any agent framework that combines untrusted browsing with privileged localhost services.

Vertex AI SDK Bucket Squatting Flaw Enables Model Hijack

Vertex AI SDK Bucket Squatting Flaw Enables Model Hijack

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 The Hacker News

A vulnerability in the Google Cloud Vertex AI Python SDK allowed unauthenticated attackers to intercept model uploads by pre-registering predictable staging bucket names — a technique Unit 42 calls 'Pickle in the Middle'. Once a malicious model replaced the legitimate upload, arbitrary code executed inside Google's serving infrastructure via pickle deserialization. Google patched the flaw in v1.148.0 after disclosure in March 2026, but the incident highlights systemic risks in ML pipeline supply chains.

Microsoft MDASH Discovers 16 Windows RCE Flaws

Microsoft MDASH Discovers 16 Windows RCE Flaws

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.8 The Hacker News

Microsoft has disclosed MDASH, a multi-model agentic AI scanning system that autonomously discovered 16 vulnerabilities patched in May 2026's Patch Tuesday, including two critical RCE flaws. The system orchestrates over 100 specialised AI agents in a structured pipeline covering auditing, debating, and proof-of-exploitability stages. MDASH represents a significant shift in how AI is being deployed offensively and defensively within the vulnerability research lifecycle, with direct implications for how agentic AI systems are trusted, scoped, and governed.

TrustFall: Repository Poisoning RCE in AI Coding Tools

TrustFall: Repository Poisoning RCE in AI Coding Tools

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 Dark Reading

A vulnerability class dubbed 'TrustFall' demonstrates that malicious code repositories can trigger arbitrary code execution in AI-assisted developer tools including Claude Code, Cursor CLI, Gemini CLI, and GitHub Copilot CLI, with little to no user interaction required. The attack surface stems from inadequate or easily dismissed warning dialogs that fail to surface the risk of executing untrusted repository content. Developers cloning or opening adversarial repositories are exposed to full host-level compromise through the elevated trust these AI coding agents place in repository-supplied context.

CVE-2026-26030: Semantic Kernel RCE via Prompt Injection

CVE-2026-26030: Semantic Kernel RCE via Prompt Injection

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 Microsoft Security Blog

Microsoft's Defender Security Research Team disclosed two CVEs in Semantic Kernel — a widely-used AI agent orchestration framework — demonstrating how prompt injection can escalate to remote code execution via compromised plugins. The vulnerabilities (CVE-2026-26030 and CVE-2026-25592) expose a systemic risk in the agentic AI layer: because frameworks like Semantic Kernel abstract tool orchestration, a single flaw in how LLM outputs are mapped to system tools can propagate across every application built on that foundation. This research signals a critical shift in AI threat modelling, where prompt injection is no longer a content risk but an execution risk.

Google Patches Prompt Injection RCE in Agentic AI

Google Patches Prompt Injection RCE in Agentic AI

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 8.5 Dark Reading

Google has patched a critical prompt injection vulnerability in an agentic AI tool designed for filesystem operations, where insufficient input sanitisation enabled sandbox escape and arbitrary code execution. The flaw highlights the compounding risk surface of agentic AI systems that interface directly with operating system resources. This is a significant example of how LLM-native vulnerabilities can translate into traditional high-severity RCE outcomes.

CVE-2025-59528: Flowise RCE Exploited Across 12,000 Instances

CVE-2025-59528: Flowise RCE Exploited Across 12,000 Instances

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.4 The Hacker News

A maximum-severity (CVSS 10.0) remote code execution vulnerability in Flowise, a widely-used open-source AI agent builder, is under active exploitation with over 12,000 internet-exposed instances at risk. The flaw, CVE-2025-59528, exists in the CustomMCP node and allows unauthenticated JavaScript execution with full Node.js runtime privileges via unsanitised MCP server configuration input. This marks the third Flowise vulnerability exploited in the wild, underscoring systemic security gaps in AI orchestration and agent-building platforms.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.