Changeflow GovPing Data Privacy & Cybersecurity CISA Adds Marimo CVE-2026-39987 to KEV Catalog
Priority review Notice Added Final

CISA Adds Marimo CVE-2026-39987 to KEV Catalog

Favicon for www.cisa.gov CISA ICS-CERT Advisories
Published
Detected
Email

Summary

CISA has added CVE-2026-39987, a Marimo Remote Code Execution vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The vulnerability was added on April 23, 2026 and represents a frequent attack vector for malicious cyber actors posing significant risk to the federal enterprise. Federal Civilian Executive Branch agencies are subject to Binding Operational Directive 22-01 remediation requirements for this newly cataloged vulnerability.

Published by CISA on cisa.gov . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

CISA's Industrial Control Systems team publishes vulnerability advisories specifically for OT, ICS, SCADA, and critical infrastructure software: Siemens, Schneider Electric, Rockwell Automation, ABB, Honeywell, Emerson, GE Digital, plus the supporting protocols. Around 65 advisories a month, each with a CVSS score, affected products, mitigation guidance, and where applicable a Known Exploited Vulnerabilities Catalog entry. ICS advisories are higher-stakes than general IT vulns: a CVSS 7 in a PLC firmware can mean physical safety risk in a factory or grid asset. Watch this if you secure industrial networks, run a SOC for a manufacturer, or advise critical infrastructure operators. GovPing publishes each advisory with the affected vendor, CVSS, and CISA link.

View original document View source feed page

What changed

CISA added one new vulnerability, CVE-2026-39987 affecting Marimo products, to its Known Exploited Vulnerabilities Catalog. The addition is based on documented evidence of active exploitation and reflects the agency's ongoing effort to track CVEs that pose significant risk to the federal enterprise.

Federal Civilian Executive Branch agencies subject to BOD 22-01 must remediate this vulnerability according to the directive's timelines. CISA also strongly urged all organizations to prioritize timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice, extending the directive's spirit beyond the federal civilian executive branch.

Archived snapshot

Apr 24, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Alert

CISA Adds One Known Exploited Vulnerability to Catalog

Release Date

April 23, 2026

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

  • CVE-2026-39987 Marimo Remote Code Execution Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts

We recently updated our anonymous product survey; we welcome your feedback.

Mentioned entities

Cybersecurity and Infrastructure Security Agency

Related changes

Favicon for www.cisa.gov CISA Adds Microsoft Defender CVE-2026-33825 to Known Exploited Vulnerabilities Catalog
Priority review Apr 23, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov Microsoft Defender CVE-2026-33825 Local Privilege Escalation
Priority review Apr 23, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA and NCSC-UK Issue Joint Advisory on Chinese Government-Linked Cyber Threats
Priority review Apr 23, 2026 US CISA News Data Privacy & Cybersecurity

Get daily alerts for CISA ICS-CERT Advisories

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.cisa.gov
CISA ICS-CERT Advisories cisa.gov/rss.xml
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CISA.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CISA
Published
April 23rd, 2026
Instrument
Notice
Branch
Executive
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Government agencies
Industry sector
9211 Government & Public Administration
Activity scope
Vulnerability remediation Cybersecurity response
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy Sanctions

Browse Categories

Agriculture & Food Safety 84 AI Regulation 3 Banking & Finance 522 Consumer Protection 148 Courts & Legal 646 Data Privacy & Cybersecurity 159 Defense & National Security 53 Education 64 Energy 141 Environment 175 Gaming 2 Government & Legislation 538 Healthcare 15 Healthcare & Life Sciences 414 Immigration 11 Insurance 92 Labor & Employment 199 Pharma & Drug Safety 21 Professional Licensing 6 Real Estate & Housing 76 Securities & Markets 176 Tax 124 Telecom & Technology 58 Trade & Sanctions 171 Transportation 134

Get alerts for this source

We'll email you when CISA ICS-CERT Advisories publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!