Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54386

CVE-2026-54386: marimo Reflected XSS Vulnerability

CVE-2026-54386 is a reflected XSS vulnerability in marimo before 0.23.9 that allows attackers to inject JavaScript via the file query parameter. This post covers technical details, affected versions, and mitigations.

Published:

CVE-2026-54386 Overview

CVE-2026-54386 is a reflected cross-site scripting (XSS) vulnerability in marimo, an open-source reactive Python notebook. Versions before 0.23.9 improperly escape single quotes in the file query parameter on the notebook page. The unescaped value is reflected into an inline JavaScript string literal, allowing unauthenticated attackers to inject arbitrary JavaScript. A payload prefixed with __new__ bypasses the 404 check and executes script in the origin of the victim's marimo server without Content-Security-Policy (CSP) restrictions. The vulnerability is tracked under CWE-79.

Critical Impact

Attackers can execute arbitrary JavaScript in a victim's browser session on the marimo notebook origin, enabling session theft, notebook tampering, and pivoting to sensitive data accessible through the notebook server.

Affected Products

  • marimo (Python reactive notebook) versions prior to 0.23.9
  • Vulnerable endpoint: notebook page served via marimo/_server/api/endpoints/assets.py
  • Fixed release: marimo 0.23.9

Discovery Timeline

Technical Details for CVE-2026-54386

Vulnerability Analysis

The flaw resides in the assets endpoint that renders the marimo notebook page. The server takes the user-supplied file query parameter and injects it directly into an inline JavaScript string literal in the HTML response. Because single quotes are not escaped, an attacker can break out of the string literal and append arbitrary JavaScript statements.

A logic check that returns HTTP 404 for unknown files is bypassed when the attacker prefixes the value with the sentinel string __new__. This sentinel is treated as a request to open a new notebook, allowing the rendered page to proceed with the attacker-controlled value still embedded in the JavaScript context. The injected script executes in the same-origin context of the marimo server without CSP mitigation.

Root Cause

The root cause is improper output encoding of user-controlled input placed inside a JavaScript string literal [CWE-79]. The file_key value was concatenated into client-side JavaScript without escaping characters that have meaning in that context, such as single quotes and backslashes. The absence of a Content-Security-Policy header on the notebook response removes a secondary defense layer.

Attack Vector

Exploitation requires only that a victim click a crafted link pointing to a marimo notebook server. The attacker controls the file parameter and prefixes the payload with __new__ to defeat the 404 path, then closes the JavaScript string and injects script. No authentication is required. The injected code runs with the privileges of the victim's session on the marimo origin.

python
# Patch excerpt — marimo/_server/api/endpoints/assets.py
# Fix: escape user-controlled file_key in service worker injection (#9789)
from marimo._server.templates.templates import (
    home_page_template,
    inject_script,
+   json_script,
    notebook_page_template,
)
from marimo._session.model import SessionMode

Source: marimo commit fdd55c8

The patch routes the user-controlled file_key through a json_script helper, which produces a safely encoded JSON representation rather than raw string concatenation into JavaScript.

Detection Methods for CVE-2026-54386

Indicators of Compromise

  • HTTP GET requests to marimo notebook routes with a file query parameter beginning with __new__ followed by characters such as ', ;, <, or >.
  • Access log entries containing URL-encoded JavaScript fragments (for example %27, %3Cscript%3E, onerror=) in the file parameter.
  • Outbound requests from browser sessions to attacker-controlled hosts immediately after a user opens a marimo notebook link.

Detection Strategies

  • Inspect web server and reverse proxy logs for requests to marimo asset endpoints where the file parameter contains quote characters, angle brackets, or javascript: schemes.
  • Deploy a web application firewall rule that flags reflected XSS patterns on query parameters destined for marimo notebook routes.
  • Compare the running marimo version against 0.23.9 across managed Python environments and container images.

Monitoring Recommendations

  • Alert on anomalous referrer values directing users to internal marimo hosts from external chat, email, or social media domains.
  • Monitor browser telemetry for script execution on marimo origins that initiates DOM modification or token exfiltration shortly after page load.
  • Track new outbound network connections initiated from user workstations to uncommon domains following notebook access.

How to Mitigate CVE-2026-54386

Immediate Actions Required

  • Upgrade marimo to version 0.23.9 or later on every host, container, and developer workstation that runs the notebook server.
  • Restrict network exposure of marimo servers so that they are not reachable from untrusted networks or the public internet.
  • Educate users to avoid clicking unsolicited links that target internal marimo URLs, particularly links containing a file query parameter.

Patch Information

The fix is delivered in marimo 0.23.9 via Pull Request #9789 and commit fdd55c8. The patch escapes the user-controlled file_key in the service worker injection by serializing it through a json_script helper. Additional context is available in the VulnCheck advisory.

Workarounds

  • Place marimo behind an authenticating reverse proxy that strips or validates the file query parameter against an allowlist.
  • Enforce a strict Content-Security-Policy header at the proxy layer that disallows inline script execution on marimo responses.
  • Block requests where the file parameter contains single quotes, backslashes, or characters outside an expected filename character set.
bash
# Example: upgrade marimo to the patched version
pip install --upgrade 'marimo>=0.23.9'

# Verify installed version
python -c "import marimo; print(marimo.__version__)"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.