ON 23 April 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-39987, the Marimo Remote Code Execution Vulnerability, to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Marimo’s Marimo product and permits an unauthenticated attacker to achieve remote code execution and obtain shell access.
The vulnerability is a pre‑authorization remote code execution issue that can be exploited over the network without authentication, allowing arbitrary system commands to be executed on the affected host. The advisory indicates that an attacker can send a specially crafted request to the Marimo service to trigger the flaw. It carries a CVSS v3.1 base score of 9.3, rating it as CRITICAL. According to the supplementary data, no patch is currently available.
Because the entry appears in the KEV catalogue, active exploitation of CVE-2026-39987 has been confirmed in the wild. No known ransomware campaign has been linked to this vulnerability at the time of writing. CISA has set a remediation deadline of 7 May 2026 for federal civilian executive branch (FCEB) agencies to address the issue.
CISA requires FCEB agencies to apply mitigations per vendor instructions, follow applicable Binding Operational Directive (BOD) 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. All other organisations are advised to review their exposure to Marimo and implement any available mitigations or consider discontinuing use until a fix is released. Organisations should also monitor for any indicators of compromise released by Marimo.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-39987 and the CISA KEV catalogue.