ACCORDING to CISA, the Known Exploited Vulnerabilities (KEV) Catalog is the authoritative source used to prioritise vulnerability management for exploits seen in the wild. The page highlights CVE-2026-39987, a Marimo Remote Code Execution Vulnerability described as pre‑authorization and allowing an unauthenticated attacker to shell access and execute arbitrary system commands. Known To Be Used in Ransomware Campaigns? Unknown.
Action guidance recommends applying mitigations per vendor instructions, following applicable BOD 22‑01 guidance for cloud services, or discontinuing use of the product if mitigations are unavailable. The entry also notes the date added as 23 April 2026 and the due date as 7 May 2026, and mentions that KEV is available in CSV, JSON, and JSON Schema formats for download.