9 Prompt Injection CVEs With CVSS Scores > 9.0
- Critical Exposure: Cursor IDE (CVSS 9.8), GitHub Copilot (CVSS 9.6), and Microsoft Copilot (CVSS 9.3) all suffered from critical prompt injection vulnerabilities in the recent cycles.
- Architectural Flaws: The root cause of these CVEs is structural; LLMs cannot inherently separate instruction tokens from data tokens, making complete patching nearly impossible.
- Remote Code Execution: Modern indirect prompt injection has escalated from harmless chatbot manipulation to true remote code execution (RCE) via automated agent tool usage.
- Defense-in-Depth Required: Reliance on system prompts or single-layer sanitization is insufficient. Enterprises must implement strict tool sandboxing and multi-layered anomaly detection.
In 2026, prompt injection vulnerabilities aren't just theoretical red team exercises—they are CVSS 9.0+ critical enterprise threats affecting standard developer tools like Cursor IDE, GitHub Copilot, and Microsoft Copilot.
We are witnessing an era where maliciously crafted instructions embedded in documents or web pages can weaponize AI agents to execute arbitrary code or exfiltrate sensitive data. For a holistic view on how these vulnerabilities fit into the broader threat landscape, review our comprehensive guide on AI agent security.
This deep dive examines the highest-severity prompt injection CVEs of the past year, the structural reasons why these patches often fail, and how enterprise security teams must recalibrate their threat models.
The Most Severe Prompt Injection CVEs in 2026
The severity of a Common Vulnerability Scoring System (CVSS) score reflects both the impact and the exploitability of a flaw. A score above 9.0 is categorized as "Critical" and typically demands immediate emergency patching across the enterprise.
In the AI security domain, however, remediation is complex. Due to the stochastic nature of Large Language Models (LLMs), these vulnerabilities stem from fundamental architectural behaviors rather than simple logic bugs. The following are the most critical prompt injection cases defining the 2026 threat landscape.
Cursor IDE CVSS 9.8: Anatomy of a Critical Flaw
Cursor IDE received a staggering CVSS 9.8 score for a prompt injection vulnerability that allowed an attacker to execute arbitrary system commands on a developer's machine.
The exploit leveraged the IDE's autonomous coding features, where the agent processes external files as part of its context window. By hiding malicious instructions inside a seemingly benign project dependency or README file, an attacker could instruct the underlying AI to write and execute a malicious shell script.
Because the IDE operates with the privileges of the developer, the blast radius of this attack was massive. The vendor response focused on improved context isolation and semantic firewalls, but the underlying vulnerability highlights the danger of granting agentic AI unrestricted local file system access without human-in-the-loop validation.
GitHub Copilot CVSS 9.6: The Patch That Wasn't
GitHub Copilot faced a critical vulnerability (CVE-2025-53773) holding a CVSS score of 9.6, which permitted remote code execution via prompt injection. The attack allowed adversaries to manipulate the AI assistant into exfiltrating private repository secrets.
The initial patch issued by Microsoft attempted to filter known adversarial patterns and fortify the system prompt. However, researchers quickly demonstrated that obfuscated prompts could bypass these lexical filters.
This "patch that wasn't" underscores the reality that lexical filtering is an inadequate defense against advanced promptware.
Microsoft Copilot CVSS 9.3: Persistent Vulnerabilities
Microsoft Copilot was awarded a CVSS 9.3 score following the discovery of indirect prompt injection pathways via Microsoft 365 integrations. Attackers could embed invisible text within Word documents or emails that, when summarized or analyzed by Copilot, triggered unauthorized actions.
This vulnerability showcased the risk of connected ecosystems. The agent acted as a "confused deputy," executing actions on behalf of the user because it could not distinguish the user's intent from the document's hidden commands.
Mitigation strategies now heavily rely on runtime tool-abuse monitoring and strict least-privilege scoping for AI agents operating within enterprise tenants.
Exploitation Mechanics & Public Proofs-of-Concept
The transition from theoretical risk to active exploitation is marked by the availability of public proof-of-concept (PoC) exploits. In 2026, the AI security community witnessed a surge in weaponized PoCs targeting prominent AI frameworks and tools.
Attackers are no longer just manipulating text outputs; they are leveraging the prompt to hijack downstream API calls. This methodology has been defined as a "Promptware Kill Chain," moving from initial access via prompt injection to privilege escalation, persistence, and eventual action on objectives (like RCE or data exfiltration).
Security researchers have published PoCs demonstrating how just a few carefully crafted documents can poison a Retrieval-Augmented Generation (RAG) system, manipulating the AI's responses with high success rates. These exploits prove that any agent interacting with untrusted external data must be treated as a high-risk surface.
Vendor Disclosures and Patch Metrics
Tracking vulnerability disclosures reveals a stark contrast between traditional software and AI agents. In traditional environments, a CVSS 9.0+ triggers an immediate, verifiable patch. In the AI domain, vendors often issue "mitigations" rather than definitive fixes.
The average time-to-patch for AI agent CVEs is misleadingly short because the initial patch is frequently bypassed within weeks. When evaluating tools built on Anthropic's Model Context Protocol, security teams must recognize that the underlying protocol also introduces new tool-poisoning attack surfaces that vendors are still struggling to secure.
Major vendors like OpenAI, Microsoft, and Anthropic have drastically increased their disclosure rates, acknowledging that absolute prevention is currently impossible. The focus has shifted from perfect sanitization to limiting the blast radius of a successful injection through sandboxing and anomaly detection.
Open-Source vs. Commercial Agents: A CVE Perspective
A common debate in enterprise architecture is whether open-source AI agents offer better security than commercial alternatives. From a CVE perspective, the data is nuanced.
Open-source models and frameworks often have more transparent vulnerability disclosures because the community rigorously audits the codebase. However, they frequently lack the out-of-the-box runtime protections and semantic firewalls that enterprise commercial vendors deploy.
Conversely, commercial agents obscure their underlying architecture, leading to "black box" vulnerabilities where enterprise defenders are wholly reliant on the vendor's unverified claims of security. Ultimately, neither is immune to prompt injection, and both require independent, multi-layered defensive architectures.
Conclusion
The persistence of CVSS 9.0+ prompt injection vulnerabilities across elite developer tools is a wake-up call for enterprise security. Defending against attacks like those seen in Cursor IDE and GitHub Copilot requires abandoning the belief that system prompts can secure an application.
Enterprise architectures must evolve to assume breach at the LLM layer, strictly limiting agent permissions and deploying robust runtime monitoring to catch the inevitable malicious payloads before they execute.
Frequently Asked Questions (FAQ)
The most critical documented vulnerabilities include Cursor IDE at CVSS 9.8, GitHub Copilot (CVE-2025-53773) at CVSS 9.6, and Microsoft Copilot at CVSS 9.3. These vulnerabilities highlight structural weaknesses allowing remote code execution and data exfiltration.
Cursor IDE received this near-maximum score because the vulnerability allowed for unauthenticated remote command execution. Attackers could embed hidden prompts in project files, forcing the AI agent to execute malicious shell commands on the local host with the developer's privileges.
CVE-2025-53773 permitted remote code execution and the exfiltration of private repository secrets. Attackers bypassed initial safety guardrails using obfuscated prompt injections, weaponizing the assistant's ability to read and analyze private codebases.
No. Because LLMs lack a deterministic boundary between data and instructions, the vulnerability was mitigated rather than fully eliminated. Microsoft implemented stricter input filtering and output monitoring, but sophisticated indirect prompt injections can still theoretically bypass these layers.
Yes. Security researchers and red teams have published numerous proof-of-concept exploits demonstrating how these vulnerabilities can be triggered using techniques like Retrieval-Augmented Generation (RAG) poisoning and promptware kill chains.
Major ecosystem providers, including Microsoft, GitHub, and frameworks integrating with OpenAI models, represent the bulk of high-profile CVEs. This is largely due to their massive deployment scale and the intensive security scrutiny applied to their platforms.
Attackers often combine a low-severity information disclosure flaw with a moderate prompt injection vulnerability. By extracting system prompt details or environment variables first, they can craft highly specific secondary injections that escalate privileges and result in critical remote code execution.
While vendors frequently deploy initial mitigations within 48 to 72 hours, true remediation metrics are difficult to establish. Attackers routinely bypass these initial lexical filters within weeks, requiring continuous, rolling updates rather than a single definitive patch.
Not necessarily. Open-source agents benefit from community auditing and faster identification of flaws, but they often lack the robust runtime security layers provided by commercial vendors. Both environments share the same underlying architectural susceptibility to prompt injection.
Security professionals should monitor the National Vulnerability Database (NVD), the OWASP Top 10 for LLM Applications updates, and dedicated AI threat intelligence feeds provided by specialized AI security vendors like Protect AI and Lakera.