Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2026-39987 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-39987 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-39987 is a pre-authorization remote code execution vulnerability in Marimo, the reactive Python notebook application developed by Marimo, affecting the core application server component.

Technical Detail

The flaw exists in Marimo's request handling layer and can be triggered by an unauthenticated attacker prior to any authentication or session establishment, meaning no credentials or prior access are required to exploit it. Successful exploitation grants the attacker shell-level access to the underlying host system, enabling arbitrary operating system command execution with the privileges of the Marimo process. The impact is full host compromise within the context of the running service, which in notebook environments frequently includes access to sensitive data, credentials, and connected infrastructure.

Exploitation Status

CISA has confirmed active exploitation in the wild, adding this vulnerability to the Known Exploited Vulnerabilities catalog on April 23, 2026. The exploit is rated as operationally mature, meaning a functional exploit capable of reliable, real-world use exists and is being actively leveraged against targets. This is not a proof-of-concept scenario; exploitation does not require significant attacker sophistication.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. Given the pre-authentication nature of the vulnerability and its operational exploit maturity, opportunistic scanning and exploitation by multiple unattributed actors is consistent with the current threat picture. Targeted sectors have not been formally identified in available intelligence.

What To Do

Under CISA's Binding Operational Directive 22-01, federal civilian agencies are required to remediate this vulnerability or apply approved mitigations by the deadline associated with the April 23, 2026 KEV listing. All organizations running Marimo should treat patching as an immediate priority given confirmed active exploitation. If a patched version is not yet available or cannot be deployed immediately, administrators should restrict network access to Marimo instances by placing them behind authenticated reverse proxies or firewall rules that block unauthenticated external access to the application port. Exposure of Marimo to public-facing networks should be treated as a critical risk until a vendor patch is applied. Monitor host-level process execution logs for unexpected shell spawning from the Marimo process as a detection signal for post-exploitation activity.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →