CVE-2026-39987 Marimo CVE debrief

Who should care

Organizations that run or depend on Marimo, especially teams exposing it to untrusted networks or users, and security teams responsible for tracking CISA KEV items.

Technical summary

The available source material identifies CVE-2026-39987 as a remote code execution issue in Marimo. CISA’s KEV listing indicates the vulnerability is known to be exploited in the wild. No further technical detail is provided in the supplied corpus, so the safe defensive takeaway is to treat Marimo instances as high-priority remediation targets and apply vendor-provided mitigations without delay.

Defensive priority

Urgent

Recommended defensive actions

• Identify all Marimo deployments and confirm their versions and exposure.
• Apply vendor-recommended mitigations or fixes as soon as they are available.
• If mitigations are unavailable, follow CISA’s guidance to discontinue use of the product.
• For cloud-hosted use, follow applicable BOD 22-01 guidance.
• Prioritize remediation in line with the KEV due date of 2026-05-07.
• Monitor vendor and official vulnerability sources for updated guidance.

Evidence notes

This debrief is based on the supplied CISA KEV source item and official links only. The source metadata marks CVE-2026-39987 as a Marimo remote code execution vulnerability, lists it in KEV on 2026-04-23, and states the required action guidance. No CVSS score or detailed exploit mechanics were provided in the corpus.

Official resources