VulnerableCode Package Details - pkg:pypi/marimo@0.1.53

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:pypi/marimo@0.1.53

Essentials
History (1)

purl	pkg:pypi/marimo@0.1.53

Next non-vulnerable version	0.23.0
Latest non-vulnerable version	0.23.0
Risk

Vulnerabilities affecting this package (1)

Vulnerability	Summary	Fixed by
VCID-9bwk-y71b-bkg5 Aliases: CVE-2026-39987 GHSA-2679-6mx9-h9xc	marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.	0.23.0 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T21:57:06.018094+00:00	GitLab Importer	Affected by	VCID-9bwk-y71b-bkg5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/marimo/CVE-2026-39987.yml	38.6.0