Marimo-Team Marimo vulnerabilities
2 known vulnerabilities affecting marimo-team/marimo.
Total CVEs
2
CISA KEV
1
actively exploited
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL1MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2026-39987P1CRITICALCVSS 9.8KEVPoCfixed in 0.23.02026-04-09
CVE-2026-39987 [CRITICAL] CWE-306 CVE-2026-39987: marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The
marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate
ghsanvdosv
CVE-2026-54386P4MEDIUMCVSS 6.1fixed in 0.23.92026-06-17
CVE-2026-54386 [MEDIUM] CWE-79 CVE-2026-54386: marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page th
marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal. Attackers can craft a malicious link with a payload begi
cvelistv5ghsanvd