CVE-2026-54386
published 2026-06-17CVE-2026-54386: marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary…
PriorityP427medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.24%
14.9th percentile
marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal. Attackers can craft a malicious link with a payload beginning with __new__ to bypass the 404 check and inject JavaScript into the page, which executes without Content-Security-Policy restrictions in the origin of a victim's marimo server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| marimo-team | marimo | < 0.23.9 | 0.23.9 |
| marimo-team | marimo | >= 0 < 0.23.9 | 0.23.9 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cvelistv5v4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
marimo contains a reflected cross-site scripting vulnerability in the notebook page
ghsa·2026-06-18
CVE-2026-54386 [MEDIUM] CWE-79 marimo contains a reflected cross-site scripting vulnerability in the notebook page
marimo contains a reflected cross-site scripting vulnerability in the notebook page
marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal. Attackers can craft a malicious link with a payload beginning with __new__ to bypass the 404 check and inject JavaScript into the page, which executes without Content-Security-Policy restrictions in the origin of a victim's marimo server.
CVEList
marimo < 0.23.9 XSS via file Query Parameter in assets.py
cvelistv5·2026-06-17·CVSS 5.1
CVE-2026-54386 [MEDIUM] CWE-79 marimo < 0.23.9 XSS via file Query Parameter in assets.py
marimo < 0.23.9 XSS via file Query Parameter in assets.py
marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal. Attackers can craft a malicious link with a payload beginning with __new__ to bypass the 404 check and inject JavaScript into the page, which executes without Content-Security-Policy restrictions in the origin of a victim's marimo server.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-17
Published