HackWatch
! High riskVU Vulnerability

CISA Adds CVE-2026-39987 Marimo Remote Code Execution Vulnerability to Known Exploited Vulnerabilities Catalog

Vulnerability coverage focused on affected versions, exploitability and patch or mitigation decisions.

Exploitability matters here. Check exposed versions, prioritize mitigations and patch first where remote access or privilege escalation is possible.
CISA Adds CVE-2026-39987 Marimo Remote Code Execution Vulnerability to Known Exploited Vulnerabilities Catalog - HackWatch vulnerability alert image
HackWatch vulnerability alert image for: CISA Adds CVE-2026-39987 Marimo Remote Code Execution Vulnerability to Known Exploited Vulnerabilities Catalog
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Marcin Pocztowski

Published: Apr 23, 2026

Updated: May 01, 2026

Incident status: Active threat

Corroborating sources: 2

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 from an administrator's point of view, checking CVE-2026-39987 against vendor, CVE and advisory context before accepting the risk language. His remediation check is practical: confirm the affected version first, restrict reachable management surfaces as he would on Juniper, Cisco or Mikrotik routers, then patch or apply vendor mitigations only where the 2 corroborating sources supports that scope.

Review our editorial policy or send corrections to [email protected].

Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.

On April 23, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) Catalog by adding CVE-2026-39987, a high-risk remote code execution vulnerability in the Marimo software. This addition underscores the ongoing threat posed by actively exploited vulnerabilities and highlights the urgent need for organizations, especially federal agencies, to prioritize remediation efforts.

# CISA Adds CVE-2026-39987 Marimo Remote Code Execution Vulnerability to Known Exploited Vulnerabilities Catalog

What happened

On April 23, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) officially added a new vulnerability, CVE-2026-39987, to its Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability affects the Marimo software and enables remote code execution (RCE), a severe security flaw that allows attackers to execute arbitrary code on vulnerable systems without authorization.

The inclusion in the KEV Catalog follows confirmed evidence of active exploitation by malicious actors targeting federal networks and beyond. This move aligns with CISA’s Binding Operational Directive (BOD) 22-01, which mandates Federal Civilian Executive Branch (FCEB) agencies to remediate vulnerabilities listed in the KEV Catalog within specified deadlines to reduce the risk of cyberattacks.

Confirmed facts

  • Vulnerability Identifier: CVE-2026-39987
  • Type: Remote Code Execution (RCE) vulnerability in Marimo software
  • Exploitation Status: Actively exploited in the wild, confirmed by CISA
  • Risk Level: High
  • Affected Entities: Federal Civilian Executive Branch agencies and any organizations using vulnerable versions of Marimo
  • Directive: BOD 22-01 requires FCEB agencies to remediate by the due date
  • CISA Recommendation: All organizations, not just federal agencies, should prioritize patching this vulnerability to mitigate risk

The vulnerability allows attackers to remotely execute malicious code, potentially leading to full system compromise, data theft, ransomware deployment, or lateral movement within networks. Given the severity, attackers have been observed leveraging this exploit in targeted campaigns.

Who is affected

  • Federal Civilian Executive Branch (FCEB) Agencies: Mandatory remediation under BOD 22-01.
  • Organizations Using Marimo Software: Any enterprise, government, or private entity running vulnerable versions of Marimo is at risk.
  • Supply Chain Partners: Organizations connected to affected entities may face secondary risks if attackers use this vulnerability as a pivot point.

Because Marimo is integrated into various IT environments for critical operations, the vulnerability’s exploitation can have cascading effects impacting confidentiality, integrity, and availability of systems.

What to do now

  1. Identify Affected Systems: Conduct an immediate inventory to determine if Marimo software is deployed in your environment and identify versions.
  2. Apply Patches or Mitigations: Obtain and deploy the security patches released by Marimo’s vendor addressing CVE-2026-39987 without delay.
  3. Prioritize Remediation: Follow CISA’s KEV Catalog deadlines, especially if you are part of the federal executive branch, but do not wait if you are a private or state entity.
  4. Monitor Network Traffic: Look for unusual outbound connections or execution patterns indicative of exploitation attempts.
  5. Review Access Logs: Investigate any suspicious activity correlating with the timeline of known exploits.
  6. Update Incident Response Plans: Ensure your IR team is aware of this vulnerability and prepared to respond to potential exploitation.

How to secure yourself

  • Regular Patch Management: Establish or reinforce a robust patch management process to quickly address KEV-listed vulnerabilities.
  • Network Segmentation: Limit the blast radius by segmenting networks and restricting access to critical systems running Marimo.
  • Implement Endpoint Detection and Response (EDR): Use advanced detection tools to identify and block exploitation attempts.
  • User Awareness Training: Educate users about phishing and social engineering tactics that may be used to deliver payloads exploiting this vulnerability.
  • Multi-Factor Authentication (MFA): Enforce MFA on all remote access points to prevent unauthorized access even if credentials are compromised.
  • Backup Critical Data: Maintain up-to-date, offline backups to recover from ransomware or destructive attacks leveraging this vulnerability.

FAQ

What is CVE-2026-39987?

CVE-2026-39987 is a remote code execution vulnerability in the Marimo software that allows attackers to run arbitrary code on affected systems without authorization.

How does this vulnerability get exploited?

Attackers exploit this vulnerability by sending specially crafted requests or payloads to vulnerable Marimo instances, enabling them to execute malicious code remotely.

Am I affected if I use Marimo software?

If you use any version of Marimo software vulnerable to CVE-2026-39987, you are at risk and should immediately assess and remediate.

What is the KEV Catalog?

The Known Exploited Vulnerabilities Catalog is a living list maintained by CISA that identifies vulnerabilities actively exploited in the wild, prioritizing them for remediation.

What is Binding Operational Directive 22-01?

BOD 22-01 is a federal directive requiring executive branch agencies to remediate vulnerabilities listed in the KEV Catalog within specified deadlines.

Should private companies also act on this vulnerability?

Yes. Although BOD 22-01 applies only to federal agencies, CISA strongly urges all organizations to remediate vulnerabilities in the KEV Catalog promptly.

How quickly should I patch this vulnerability?

Patching should be done immediately upon confirmation of affected systems, as active exploitation increases risk exponentially.

Can this vulnerability lead to ransomware attacks?

Yes. Remote code execution vulnerabilities are commonly exploited to deploy ransomware or other malware.

What if I cannot patch immediately?

Implement compensating controls such as network segmentation, enhanced monitoring, and restricting access until patches can be applied.

How can I monitor if my systems are being targeted?

Use security tools like EDR, SIEM, and network monitoring to detect unusual activity, and review logs for suspicious behavior.

Why this matters

Remote code execution vulnerabilities like CVE-2026-39987 represent some of the most critical cybersecurity risks because they allow attackers to gain full control over affected systems remotely. The active exploitation of this vulnerability means adversaries are already leveraging it to compromise networks, steal data, and potentially deploy ransomware.

For federal agencies, failure to remediate such vulnerabilities can result in severe operational disruptions and national security risks. For private sector organizations, exploitation can lead to data breaches, financial losses, reputational damage, and regulatory penalties.

CISA’s KEV Catalog serves as a vital resource to focus limited cybersecurity resources on the most urgent threats. The inclusion of CVE-2026-39987 signals a pressing need for immediate action to prevent widespread exploitation.

Sources and corroboration

This article is based on the official CISA alert published on April 23, 2026, titled "CISA Adds One Known Exploited Vulnerability to Catalog" available at [cisa.gov](https://www.cisa.gov/news-events/alerts/2026/04/23/cisa-adds-one-known-exploited-vulnerability-catalog). The information has been corroborated with multiple cybersecurity advisories and reflects the latest federal directives and threat intelligence.

---

Stay informed and act decisively to protect your networks from this critical vulnerability.

Sources used for this article

cisa.gov

Marcin Pocztowski

Real reviewer profile

Marcin Pocztowski

Infrastructure Security Editor at HackWatch.io

Open reviewer profile

Marcin Pocztowski is the owner of MMPS and an infrastructure security editor for HackWatch. His public technical record spans 20 years, from Security+ evidence dated January 2006 through Juniper, Cisco and RHCSA records, and he reviews server, network and vulnerability-response coverage for source accuracy and practical remediation.

Infrastructure Security Editor: technical-density, source-existence and remediation-logic review for infrastructure and vulnerability coverage.

Coverage focus: Server and network hardening, vulnerability response, patch prioritization and infrastructure security review

Editorial disclosure: This profile is tied to Marcin's LinkedIn, X profile and documented editorial work on HackWatch. Historical certificates are treated as background evidence only, not as current active credentials.

Marcin leads this ransomware alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "CISA Adds CVE-2026-39987 Marimo Remote Code Execution Vulnerability to Known Exploited Vulnerabilities Catalog".

Technical review: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Server and network infrastructure administrationKnown exploited vulnerabilities and patch prioritizationCVSS v4.0 and CISA KEV triage