CISA Adds Marimo RCE Vulnerability CVE-2026-39987 to KEV Catalog
CISA has added the Marimo remote code execution vulnerability (CVE-2026-39987) to its Known Exploited Vulnerabilities Catalog following evidence of active exploitation.
CISA has incorporated CVE-2026-39987, a Marimo remote code execution vulnerability, into its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of its active exploitation. This inclusion underscores the immediate threat posed by this vulnerability, as it is already being used in real-world attacks. The KEV Catalog, established by Binding Operational Directive (BOD) 22-01, serves as a critical resource for identifying and mitigating vulnerabilities with significant risk to the federal enterprise.
The Marimo vulnerability, categorized as a remote code execution flaw, allows attackers to execute arbitrary code on affected systems without user interaction. This capability can lead to a complete compromise of the targeted device, enabling data theft, system disruption, or the deployment of further malicious software. Such vulnerabilities are considered high-priority due to their potential for widespread damage.
Federal Civilian Executive Branch (FCEB) agencies are mandated by BOD 22-01 to address all vulnerabilities listed in the KEV Catalog within a defined timeframe. Users of Marimo are urged to apply any available patches or implement mitigating controls to protect against exploitation. Continuous monitoring for suspicious activity is also recommended.