What happened
Attacker plants malicious instructions inside an MCP response or web search result. The Cursor AI agent reads the content and follows the hidden instruction, which abuses the run_terminal_cmd working_directory parameter to write a file outside the sandbox's allowed scope. This write disables the sandbox. The agent then executes arbitrary commands with the permissions of the Cursor process.