Cursor for Windows version 3.2.16 contains a binary planting vulnerability that allows remote attackers to achieve arbitrary code execution by placing a malicious git.exe file in the repository root directory. When a developer clones and opens a crafted repository, Cursor automatically resolves and executes the workspace-resident git.exe during IDE startup and on a recurring timed cadence without any user interaction, running the malicious binary under the privileges of the current user.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-63093 is a binary planting vulnerability in Cursor for Windows (version 3.2.16) that enables arbitrary code execution through a trojanized git.exe file placed in a repository root directory. The vulnerability is critical because Cursor automatically discovers and executes this workspace-resident binary during IDE startup and on recurring timed intervals without requiring user interaction or consent. This affects developers using Cursor who clone repositories from untrusted or compromised sources, as the malicious git.exe runs with the privileges of the current user—potentially allowing attackers to steal credentials, inject malware, exfiltrate source code, or establish persistence on developer workstations.
While Casky.ai currently has 0 mapped skills directly addressing this specific CVE, the underlying attack pattern maps to privilege escalation and execution techniques that Claude AI with extended reasoning can help practitioners identify. A Casky user would observe indicators aligned with MITRE ATT&CK's Execution and Persistence tactics—specifically suspicious binary execution from unexpected file paths, unsigned executables loaded from repository directories, and recurring process launches tied to IDE initialization. By correlating process creation events, file system monitoring, and execution context, practitioners using Casky's analytical framework can detect when development environments are spawning binaries from workspace roots rather than expected system or application directories, enabling faster isolation of compromised repositories and prevention of code execution before damage occurs.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-63093. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation