Prompt Injection Vulnerability in Windsurf by Vendor Name
CVE-2025-36730

4.6MEDIUM

Key Information:

Vendor: Windsurf
Status: Windsurf
Vendor: CVE Published:; 14 October 2025

What is CVE-2025-36730?

A prompt injection flaw found in Windsurf version 1.10.7 can be exploited by crafting a malicious file name that alters the user prompt. This misconfiguration allows an attacker to manipulate instructions executed by the application, posing a risk to data integrity and security. Users of Windsurf should take immediate action to assess their configurations and apply appropriate mitigations.

Affected Version(s)

Windsurf 1.10.7

References

https://www.tenable.com/security/research/tra-2025-47

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 14, 2025
Vulnerability Reserved
Apr 15, 2025

JSON