VYPR
kevPublished May 2, 2026· Updated May 17, 2026· 1 source

CISA Adds Marimo RCE Vulnerability to Known Exploited Vulnerabilities Catalog

CISA has added a critical remote code execution vulnerability in the Marimo platform to its Known Exploited Vulnerabilities catalog following reports of active exploitation.

The Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical remote code execution (RCE) vulnerability affecting the Marimo platform to its Known Exploited Vulnerabilities (KEV) Catalog. The inclusion of CVE-2026-39987 follows confirmed evidence that malicious actors are actively leveraging this flaw in real-world attacks CISA.

The vulnerability, identified as CVE-2026-39987, allows an unauthenticated attacker to execute arbitrary code on a target system running the Marimo platform. By exploiting this flaw, an attacker can gain unauthorized control over the affected environment, potentially leading to full system compromise, data exfiltration, or the deployment of further malicious payloads. Because RCE vulnerabilities provide a direct path to system takeover, they are considered high-priority targets for threat actors seeking to establish persistence within a network CISA.

CISA’s decision to add this vulnerability to the KEV catalog is mandated by Binding Operational Directive (BOD) 22-01, which requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified threats within a specified timeframe. While the directive specifically targets federal networks, CISA has issued a strong recommendation for all organizations—regardless of sector—to prioritize patching this vulnerability as part of their standard security operations CISA.

The KEV catalog serves as a critical repository for vulnerabilities that pose a significant risk to the federal enterprise. By tracking these flaws, CISA aims to provide organizations with actionable intelligence to focus their limited resources on the most dangerous, actively exploited threats. Agencies and private sector entities are encouraged to review the BOD 22-01 Fact Sheet for detailed guidance on compliance and remediation timelines CISA.

The addition of CVE-2026-39987 highlights the ongoing challenge of securing development and data-science-oriented platforms against remote exploitation. As organizations increasingly adopt specialized tools like Marimo, they must ensure that vulnerability management programs account for the unique attack surfaces these platforms introduce. CISA continues to monitor the threat landscape and will update the KEV catalog as new evidence of active exploitation emerges CISA.

Synthesized by Vypr AI
CISA Adds Marimo RCE Vulnerability to Known Exploited Vulnerabilities Catalog · VYPR