Critical flaw in Marimo Python notebook exploited within 10 hours of disclosure
Summary
A critical pre-authentication remote code execution vulnerability in the open-source Marimo Python notebook platform was exploited in the wild within 10 hours of its disclosure. The flaw, CVE-2026-39987, allows unauthenticated attackers to gain complete control of exposed Marimo instances by sending a single connection request to a specific endpoint.
IFF Assessment
This is bad news for defenders because a critical vulnerability was discovered and exploited very rapidly, indicating a high level of threat actor activity and ease of exploitation.
Severity
The CVSS score of 9.3 reflects the critical nature of this pre-authentication RCE vulnerability, where an attacker can execute arbitrary code remotely with no authentication required, leading to full system compromise.
Defender Context
This incident highlights the extreme speed at which newly disclosed vulnerabilities can be weaponized by attackers. Defenders must prioritize patching or mitigating systems exposed to the internet immediately upon disclosure of critical vulnerabilities, especially those with pre-authentication RCE capabilities.