[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-39987":6},{"stargazers_count":4,"fetched_at":5},5,"2026-04-24T12:20:52.508Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":40,"aliases":58,"duplicate_of":9,"upstream":61,"downstream":62,"duplicates":63,"related":64,"reserved_at":9,"published_at":65,"modified_at":66,"state":67,"summary":68,"references_raw":77,"kevs":123,"epss":133,"epss_history":135,"metrics":175,"affected":188},"CVE-2026-39987","marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-306","Missing Authentication for Critical Function","The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.","weakness","Draft","Base","High",[20,24,28,32,36],{"id":21,"name":22,"techniques":23},"CAPEC-12","Choosing Message Identifier",[],{"id":25,"name":26,"techniques":27},"CAPEC-166","Force the System to Reset Values",[],{"id":29,"name":30,"techniques":31},"CAPEC-216","Communication Channel Manipulation",[],{"id":33,"name":34,"techniques":35},"CAPEC-36","Using Unpublished Interfaces or Functionality",[],{"id":37,"name":38,"techniques":39},"CAPEC-62","Cross Site Request Forgery",[],[41,50],{"_key":42,"name":43,"source":44,"url":45,"maturity":46,"reliability_score":47,"verified":48,"type":9,"platforms":49,"requires_auth":9,"exploitdb":9,"metasploit":9},"GITHUB_MARIMO-TEAM_MARIMO","Marimo","github","https://github.com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xc","poc",0.3,false,[],{"_key":51,"name":52,"source":53,"url":54,"maturity":55,"reliability_score":56,"verified":48,"type":9,"platforms":57,"requires_auth":9,"exploitdb":9,"metasploit":9},"REF_72B0AAD3AE8045FA","Exploit Reference (sysdig.com)","reference","https://www.sysdig.com/blog/marimo-oss-python-notebook-rce-from-disclosure-to-exploitation-in-under-10-hours","unknown",0.2,[],[59,60],"GHSA-2679-6MX9-H9XC","GHSA-2679-6mx9-h9xc",[],[],[],[],"2026-04-09T17:16:55.639Z","2026-04-24T03:55:20.777Z","Analyzed",{"cisa_kev":69,"cisa_ransomware":48,"cisa_vendor":43,"epss_severity":70,"epss_score":71,"severity":72,"severity_score":73,"severity_version":74,"severity_source":75,"severity_vector":76,"severity_status":67},true,"low",0.06989,"critical",9.8,"v3.1","nvd","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",[78,88,95,99,104,109,113,118],{"url":45,"sources":79,"tags":82},[80,81,75],"osv_pypi","cve.org",[83,84,85,86,87],"WEB","X Refsource CONFIRM","Exploit","Mitigation","Vendor Advisory",{"url":89,"sources":90,"tags":91},"https://github.com/marimo-team/marimo/pull/9098",[80,81,75],[83,92,93,94],"X Refsource MISC","Issue Tracking","Patch",{"url":96,"sources":97,"tags":98},"https://github.com/marimo-team/marimo/commit/c24d4806398f30be6b12acd6c60d1d7c68cfd12a",[80,81,75],[83,92,94],{"url":100,"sources":101,"tags":102},"https://github.com/marimo-team/marimo",[80],[103],"PACKAGE",{"url":105,"sources":106,"tags":107},"https://nvd.nist.gov/vuln/detail/CVE-2026-39987",[80],[108],"Advisory",{"url":54,"sources":110,"tags":111},[81,75],[112,85],"Third Party Advisory",{"url":114,"sources":115,"tags":116},"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-39987",[81,75],[117],"Government Resource",{"url":119,"sources":120,"tags":121},"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-39987",[81,75],[117,122],"US Government Resource",[124],{"source":125,"vendor":43,"product":43,"date_added":126,"vulnerability_name":127,"short_description":128,"required_action":129,"due_date":130,"known_ransomware_campaign_use":131,"notes":132,"exploitation_type":9},"cisa","2026-04-23","Marimo Remote Code Execution Vulnerability","Marimo contains an pre-authorization remote code execution vulnerability, allowing an unauthenticated attacked to shell access and execute arbitrary system commands.","Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.","2026-05-07","Unknown","https://github.com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xc ; https://nvd.nist.gov/vuln/detail/CVE-2026-39987",{"date":126,"score":71,"percentile":134},0.91492,[136,140,143,146,148,150,154,157,160,163,166,168,171,174],{"date":137,"score":138,"percentile":139},"2026-04-10",0.02704,0.85888,{"date":141,"score":138,"percentile":142},"2026-04-11",0.85896,{"date":144,"score":138,"percentile":145},"2026-04-12",0.85894,{"date":147,"score":138,"percentile":139},"2026-04-13",{"date":149,"score":138,"percentile":145},"2026-04-14",{"date":151,"score":152,"percentile":153},"2026-04-15",0.03204,0.87021,{"date":155,"score":152,"percentile":156},"2026-04-16",0.87025,{"date":158,"score":152,"percentile":159},"2026-04-17",0.87027,{"date":161,"score":152,"percentile":162},"2026-04-18",0.87029,{"date":164,"score":152,"percentile":165},"2026-04-19",0.87028,{"date":167,"score":152,"percentile":165},"2026-04-20",{"date":169,"score":71,"percentile":170},"2026-04-21",0.91479,{"date":172,"score":71,"percentile":173},"2026-04-22",0.91486,{"date":126,"score":71,"percentile":134},[176,180,183],{"source":80,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":177},{"baseScore":178,"baseSeverity":9,"vectorString":179,"impactScore":9,"exploitabilityScore":9},9.3,"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",{"source":81,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":181},{"baseScore":178,"baseSeverity":182,"vectorString":179,"impactScore":9,"exploitabilityScore":9},"CRITICAL",{"source":75,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":184,"cvss_v4_0":186},{"baseScore":73,"baseSeverity":182,"vectorString":76,"impactScore":73,"exploitabilityScore":185},10,{"baseScore":178,"baseSeverity":182,"vectorString":187,"impactScore":9,"exploitabilityScore":9},"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",[189,199,204],{"ecosystem":9,"name":190,"vendor":191,"product":190,"cpe_part":192,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":193},"marimo","coreweave","a",[194],{"version":195,"is_range":69,"range_type":196,"version_start":9,"version_start_type":9,"version_end":197,"version_end_type":198,"fixed_in":9},"lt0.23.0","cpe","0.23.0","excluding",{"ecosystem":9,"name":190,"vendor":200,"product":190,"cpe_part":192,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":201},"marimo-team",[202],{"version":203,"is_range":69,"range_type":81,"version_start":9,"version_start_type":9,"version_end":197,"version_end_type":198,"fixed_in":9},"\u003C 0.23.0",{"ecosystem":205,"name":190,"vendor":205,"product":190,"cpe_part":9,"purl_type":206,"purl_namespace":9,"purl_name":190,"source":9,"versions":207},"PyPI","pypi",[208],{"version":209,"is_range":69,"range_type":210,"version_start":9,"version_start_type":9,"version_end":197,"version_end_type":198,"fixed_in":9},"lt0_23_0","ecosystem"]