CVE-2026-39987: Marimo | defend.network

What is CVE-2026-39987?

Marimo contains an pre-authorization remote code execution vulnerability, allowing an unauthenticated attacked to shell access and execute arbitrary system commands.

CVSS9.8 NVD 3.1

SeverityCRITICAL

Exploitation In the wild In CISA KEV

EPSS81% · P99

Triage statusActive Exploit

ActionPatch immediately

CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA Known Exploited Vulnerability

Marimo Remote Code Execution Vulnerability

Added to KEV2026-04-23

Federal patch deadline2026-05-07

Known ransomware useUnknown

Affected product

Marimo

Remediation Steps

Apply the vendor patch for Marimo immediately
Audit internet-exposed Marimo notebook instances and restrict access to trusted networks
Review access logs for unauthorized changes to notebooks or credential extraction
Rotate all cloud credentials and API keys stored in or accessible via Marimo instances
Implement network segmentation to isolate notebook environments from sensitive systems

References

Coverage on defend.network

Vulnerability Priority Report – Week 1 of June 2026 (June 1 – 7)
Vulnerability Priority Report – Week 2 of April 2026 (April 13 – 19)
ChatGPT malware abuse, Marimo CVE-2026-39987 LLM exploitation, Russian infrastructure arrests (2026-05-30)
Iran PLC attacks; Marimo RCE exploited in 10h; GlassWorm IDE infection (2026-04-12)
Marimo RCE exploited; Iran targets 4,000 US PLCs; Russian token theft (2026-04-11)

🤖 This CVE page is generated by defend.network from NVD, CISA KEV, EPSS, and our verified daily briefings. Severity and exploitation data come from official sources; always verify remediation steps against the official vendor advisory before acting in production.