A serious security flaw in Cursor, a popular AI code editor used by more than 7 million developers, lets attackers run any code on Windows systems. Just opening a harmful repository can start this process. It doesn’t need any clicks, confirmations, or approvals from the user. The flaw was found by Mindgard, a security company, on December 15, 2025, and told to Cursor’s security team that same day.
The vulnerability stems from how Cursor resolves Git binaries when loading a development project. Among the locations Cursor searches is the workspace root itself.
If an attacker plants a malicious file named git.exe in that root directory, Cursor executes it automatically as part of its normal path resolution routine. Because the editor performs this search implicitly, it triggers execution without any security prompt or user warning.

SonicWall
SonicWall says that hackers are using two SMA1000 weaknesses, named CVE-2026-15409 and CVE-2026-15410, in zero-day attacks and tells customers to install the new security updates.
CVE-2026-15409 is a serious (CVSS 10.0) server-side request forgery (SSRF) flaw in the SMA1000 Appliance Work Place interface. It lets a remote, unauthorized person make the appliance send requests to wrong places.
CVE-2026-15410 is a serious issue (CVSS 7.2) in the SMA1000 Appliance Management Console. It lets a remote admin who is logged in run any commands on the operating system.
SonicWall says it investigated multiple incidents and confirmed that both vulnerabilities are being actively exploited.
“SonicWall PSIRT has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory,” SonicWall warned.
“Customers are strongly urged to upgrade to the hotfix release as soon as possible to remediate these vulnerabilities”
The vulnerabilities affect SMA1000 models 6210, 7210, and 8200v running platform-hotfix releases 12.4.3-03245, 12.4.3-03387, 12.4.3-03434, 12.5.0-02283, 12.5.0-02624, and 12.5.0-02800. Fixes are available in platform-hotfix versions 12.4.3-03453 and 12.5.0-02835, and later releases.
SonicWall advises moving to the newest hotfix and checking if any of the listed IOCs are there.
SharePoint
The Cybersecurity and Infrastructure Security Agency (CISA) has put a serious flaw in Microsoft SharePoint Server, called CVE-2026-56164, in its list of known exploited vulnerabilities because it is being actively used by bad actors.
CVE-2026-56164 is a missing-authentication issue that affects important parts of Microsoft SharePoint Server.
An attacker can use this weakness without having real SharePoint credentials. CISA’s advice says that if they succeed, an unauthorized attacker could get higher access on a network.
CISA put this weakness in its Known Exploited Vulnerabilities list on July 14, 2026, showing that the agency knows it has been used in real attacks.
They set a deadline for fixing the problem by July 17, 2026, giving federal agencies just three days to deal with it. Just because this weakness is in the list does not mean it is used in ransomware attacks.
InfoSecBulletin Cybersecurity for mankind
