CISA updated its Known Exploited Vulnerabilities catalog to add three vulnerabilities now tracked as actively exploited: CVE-2026-39987 in Marimo, CVE-2024-1708 in ConnectWise ScreenConnect, and CVE-2026-32202 in Microsoft Windows. The Marimo issue was added in a catalog update that raised the total count to 1,579 entries, while a later update increased the catalog to 1,585 entries and included the ScreenConnect and Windows flaws.
CISA described CVE-2026-39987 as an unauthenticated remote code execution vulnerability that can provide shell access and allow arbitrary system command execution before authorization, mapped to CWE-306. CVE-2024-1708 was listed as a ScreenConnect path traversal flaw that could enable remote code execution or directly affect confidential data and critical systems, and CVE-2026-32202 was identified as a Windows Shell protection mechanism failure that allows network spoofing by an unauthorized attacker. CISA directed organizations to apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable; remediation deadlines were set for 2026-05-07 for Marimo and 2026-05-12 for the ScreenConnect and Windows entries.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
CISA published an updated Known Exploited Vulnerabilities catalog on 2026-05-04, increasing the total number of listed vulnerabilities to 1,587. The provided reference shows updated catalog metadata and release timestamp but does not identify the specific newly added CVEs.
CISA updated the KEV catalog on 2026-04-28, raising the total number of listed vulnerabilities from 1,583 to 1,585. The newly added entries were CVE-2024-1708 in ConnectWise ScreenConnect and CVE-2026-32202 in Microsoft Windows, both assigned a remediation due date of 2026-05-12.
CISA updated the Known Exploited Vulnerabilities catalog on 2026-04-23, increasing the total from 1,578 to 1,579 entries. The new entry was CVE-2026-39987, a Marimo remote code execution vulnerability allowing unauthenticated attackers to gain shell access and execute arbitrary commands before authorization, with a remediation due date of 2026-05-07.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
github.com
Open sourcegithub.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.