CurXecute and MCPoison: Two Recently Disclosed Vulnerabilities in Cursor IDE
Over the past few days, researchers have disclosed two new vulnerabilities in Cursor, the AI-assisted code editor used by over a million users including notable Fortune 500 companies. CVE Description CVSSv3 CVE-2025-54135 Cursor Arbitrary Code Execution Vulnerability (“CurXecute”) 8.5 CVE-2025-54136 Cursor Remote Code Execution via Unverified Configuration Modification Vulnerability (“MCPoison”) 7.2 Both vulnerabilities have the potential to be severe, but they are context dependent. The common thread shared between CurXecute and MCPoison is how Cursor handles interaction with MCP servers. For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.
