OX Security: 94+ Unpatched Chromium CVEs in Cursor and Windsurf IDEs Put 1.8 Million Developers at Risk
OX Security·high signal
OX Security weaponized CVE-2025-7656 (a patched Chromium flaw) against the latest versions of Cursor and Windsurf, demonstrating that both IDEs run on Electron builds with Chromium engines frozen since March 2025. At least 94 known CVEs have accumulated since their last update. Cursor dismissed the report as 'out of scope' and Windsurf did not respond, leaving the entire developer supply chain exposed.