{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/marimo/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-39987"}],"_cs_exploited":false,"_cs_products":["Marimo"],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-39987","rce","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Marimo"],"content_html":"\u003cp\u003eA pre-authentication remote code execution vulnerability, CVE-2026-39987, exists within the Marimo application. This vulnerability allows an unauthenticated attacker to gain shell access and execute arbitrary system commands on the affected system. Given the nature of the vulnerability, all versions of Marimo are potentially affected unless patched or mitigated. Successful exploitation could lead to complete system compromise, data theft, or denial of service. The vulnerability was publicly disclosed in April 2026 and organizations using Marimo should take immediate action to address it.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a specially crafted request to the Marimo server.\u003c/li\u003e\n\u003cli\u003eThe Marimo application fails to properly validate or sanitize the input within the request.\u003c/li\u003e\n\u003cli\u003eThis input is processed by the server without proper authorization checks.\u003c/li\u003e\n\u003cli\u003eDue to the lack of input validation, the attacker injects malicious code into the application.\u003c/li\u003e\n\u003cli\u003eThe injected code is executed with the privileges of the Marimo process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains shell access to the underlying operating system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary system commands, potentially installing malware or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence for continued access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39987 allows an unauthenticated attacker to execute arbitrary system commands on a server running Marimo. This could lead to complete compromise of the system, including data theft, malware installation, or denial of service. The number of potential victims is dependent on the number of Marimo deployments, but given the pre-authentication nature of the vulnerability, any unpatched instance is at risk. Sectors particularly at risk are those relying on Marimo for critical services or data management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply mitigations provided by the vendor to address CVE-2026-39987 or discontinue use of the product.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Marimo Exploitation Attempt\u0026rdquo; to identify potential exploitation attempts targeting CVE-2026-39987 within web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious outbound connections originating from Marimo servers, which could indicate successful exploitation.\u003c/li\u003e\n\u003cli\u003eFollow applicable BOD 22-01 guidance for cloud services if Marimo is deployed in a cloud environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T12:00:00Z","date_published":"2026-04-24T12:00:00Z","id":"/briefs/2026-04-marimo-rce/","summary":"CVE-2026-39987 is a pre-authentication remote code execution vulnerability in Marimo, enabling unauthenticated attackers to execute arbitrary system commands.","title":"Marimo Pre-Authentication Remote Code Execution Vulnerability (CVE-2026-39987)","url":"https://feed.craftedsignal.io/briefs/2026-04-marimo-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Marimo","version":"https://jsonfeed.org/version/1.1"}