Share
## https://sploitus.com/exploit?id=ACB372C1-16C6-5ED3-B493-7F4AE7C5E504
# CVE-2026-39987 - a full PTY shell Unauthenticated Stored Cross-Site Scripting

**Severity:** CRITICAL
**CVSS:** 9.8
**Impact:** Confidentiality, Integrity, Availability
**Published:** 2026-04-09

## Legal

For authorized security testing only.

## Root Cause (short version)

marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.

## Exploitation Requirements

- Reachable vulnerable target
- Predictable user/workflow context
- No additional hardening that blocks crafted requests

## How to use

```bash
python3 exploit.py https://target.tld
```

## Detection

- Monitor suspicious authentication flow deviations
- Investigate abnormal direct endpoint hits tied to CVE-2026-39987

## Mitigation

- Update to the fixed vendor version
- Restrict risky endpoints and enforce MFA where possible

## Exploit

[Download PoC](https://tinyurl.com/2499dcv5)