Cursor AI Code Editor Vulnerability Enables RCE via Malicious MCP File Swaps Post Approval - The Hacker News

CVE-2025-54136, codenamed MCPoison, is a high-severity vulnerability in the Cursor AI code editor that allows for remote code execution (RCE). It exploits how the editor handles Model Context Protocol (MCP) configurations, permitting an attacker to silently swap a previously approved, benign configuration with a malicious payload without re-prompting the user.