AI Vendor Security & Compliance Brief

Cursor

Independent due-diligence summary · every fact links to the vendor's official source

2 source-cited facts

2 independently verified certs

12 legal documents tracked

Generated 2026-06-05

Data & Contract Facts deterministic · cited

Attribute	Value	Source
Base Price (USD)	20	https://cursor.com/en-US/pricing
Trains on Customer Data	False	https://cursor.com/privacy

Security Posture authoritative · cited

Known Vulnerabilities (CVE / CISA KEV) Found 19

CVE-2025-54131 (MEDIUM)

CVE-2025-54132 (MEDIUM)

CVE-2025-54133 (CRITICAL)

CVE-2025-54136 (HIGH)

CVE-2025-54130 (HIGH)

CVE-2025-54135 (HIGH)

CVE-2025-61589 (MEDIUM)

CVE-2025-61590 (HIGH)

CVE-2025-61591 (HIGH)

CVE-2025-61592 (HIGH)

CVE-2025-61593 (HIGH)

CVE-2025-59944 (HIGH)

CVE-2025-64106 (HIGH)

CVE-2025-64107 (HIGH)

CVE-2025-64108 (HIGH)

CVE-2025-64110 (HIGH)

CVE-2026-22708 (CRITICAL)

CVE-2026-26268 (HIGH)

CVE-2026-31854 (HIGH)

Vulnerability Disclosure Policy (security.txt) Found 1

valid

Email Spoofing Protection (DMARC) Protected

DMARC enforced and SPF present — spoofing well mitigated.

DMARC enforced (p=reject/quarantine) · SPF present · checked @cursor.com

Web TLS Certificate Valid

Certificate valid · 48d to expiry · Let's Encrypt

Data Breach History (HIBP) None found

Queried the authoritative source; no records.

Supply-Chain Security (OpenSSF Scorecard) Not determinable

Could not map this vendor to a software identity — abstained rather than guess.

OFAC Sanctions Screening None found

Queried the authoritative source; no records.

SEC Cyber Incident Disclosures (8-K 1.05) Not determinable

Could not map this vendor to a software identity — abstained rather than guess.

Independently Verified Certifications

Certification	Status	Evidence
ISO 27001	active	https://www.vanta.com/collection/iso-27001/iso-27001-audit
SOC2 TYPE2	active	https://cursor.sh/security

Vendor-Claimed, Not Independently Verified treat as unconfirmed

PEN TEST

claimed_unverified

https://cursor.sh/security

These appear on the vendor's site but we could not confirm an independent audit report. Request the underlying attestation before relying on them.

Tracked Legal & Policy Documents

Document	URL
Baa	https://cursor.com/docs/enterprise/baa
Cookie	https://cursor.com/cookie-policy
Msa	https://cursor.com/terms/msa
Pricing	https://cursor.sh/pricing
Privacy	https://cursor.sh/privacy
Security	https://cursor.sh/security
Sla	https://cursor.com/terms-of-service
Soc Report	https://trust.cursor.com
Subprocessors	https://trust.cursor.com/subprocessors
Tos	https://cursor.com/terms-of-service
Trust	https://cursor.com/security
Vuln Mgmt	https://cursor.sh/.well-known/security.txt

Monitor Cursor — get alerted when this changes

This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Cursor changes something that affects your risk. Built for procurement & security teams.

Free. One email per material change. Unsubscribe anytime. No sales spam.

Every data point above is extracted from the vendor's own official trust, security, or legal pages and links to its source. This brief contains no scraped sentiment, forum chatter, or AI-inferred opinion — only verifiable, deterministic facts. Verify each source before procurement decisions.