05
Paper documents 30+ prompt-injection CVEs across AI coding IDEs
verifiedDeveloperLegal
Monday, July 13, 2026
Confidence
High · — peer-published paper with named CVEs and reproducible chain
Evidence
arXiv systematic analysis + OWASP + Vectra AI writeup
A systematic arXiv analysis of agentic coding assistants catalogs the CVEs disclosed against Copilot, Cursor, Claude Code, Windsurf and others — including a working GitHub Copilot privilege-escalation chain.
- The paper details CVE-2025-53773, a Copilot RCE where a code-comment injection writes `chat.tools.autoApprove: true` into VS Code settings, silencing future tool calls.
- Rehberger's disclosures covered Devin, Cursor (CVE-2025-54132), Copilot, Claude Code (CVE-2025-55284) and Google Jules — same vector: plant instructions in a file the agent reads.
Sources