Reflected Cross-Site Scripting Vulnerability in Marimo by Marimo Team
CVE-2026-54386

5.1MEDIUM

Key Information:

Vendor

Marimo-team

Status
Marimo
Vendor
CVE Published:
17 June 2026

What is CVE-2026-54386?

The Marimo product prior to version 0.23.9 is susceptible to a reflected cross-site scripting vulnerability located in the notebook page. This flaw allows unauthenticated attackers to inject arbitrary JavaScript code by exploiting improper escaping of single quotes within the file query parameter. By creating a specifically crafted malicious link, an attacker can execute JavaScript on the victim's server without being obstructed by Content-Security-Policy (CSP) measures. This vulnerability poses significant risks, as it enables attackers to execute malicious scripts in the context of a user's session.

Affected Version(s)

marimo 0

References

https://github.com/marimo-team/marimo/releases/tag/0.23.9
release-notes
https://github.com/marimo-team/marimo/pull/9789
issue-tracking
https://github.com/marimo-team/marimo/commit/fdd55c8cf626...
patch

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Elvin Suleymanov
.