Marimo vulnerability exploited within hours of disclosure

A critical remote code execution vulnerability in the open-source Python notebook Marimo has been exploited less than 10 hours after its public disclosure, as reported by The Hacker News.

The vulnerability, identified as CVE-2026-39987 with a CVSS score of 9.3, affected all Marimo versions prior to 0.23.0. It allowed unauthenticated attackers to gain a full PTY shell and execute arbitrary system commands by exploiting a missing authentication validation on the terminal WebSocket endpoint (/terminal/ws). Sysdig observed an unknown threat actor targeting a honeypot system within 9 hours and 41 minutes of the disclosure. The attacker manually performed reconnaissance, searched for SSH keys, and attempted to harvest credentials from .env files, demonstrating rapid weaponization of the disclosed flaw.

The swift exploitation highlights the shrinking window between vulnerability disclosure and weaponization, demanding faster response times from defenders. It also underscores that any internet-facing application with a critical advisory, regardless of its popularity, can become a target for threat actors actively monitoring for such opportunities.

Source: The Hacker News