A critical vulnerability in Marimo, a Python notebook tool, was exploited mere hours after its disclosure as CVE-2026-39987, with a CVSS score of 9.3. This flaw, which affects an open-source platform used for data science and interactive coding, was leveraged by attackers within 10 hours of its public disclosure on April 8, 2026. Notably, the Sysdig Threat Research Team observed exploitation occurring in as little as 9 hours and 41 minutes, with credential theft being completed in under 3 minutes, all without the need for public exploit code1. The rapid exploitation of CVE-2026-39987 highlights the importance of prompt patching and monitoring, especially for tools like Marimo that are widely used in data-intensive environments. This incident underscores the need for practitioners to prioritize vulnerability management based on their specific exposure and the presence of exploitation evidence, so what matters most is how quickly organizations can respond to and mitigate such critical flaws to prevent widespread compromise.
CVE-2026-39987: Marimo RCE exploited in hours after disclosure
⚡ High Priority
Why This Matters
CVE-2026-39987 disclosure expands the active attack surface — prioritize based on your exposure and exploitation evidence.
References
- SecurityAffairs. (2026, April 11). CVE-2026-39987: Marimo RCE exploited in hours after disclosure. *SecurityAffairs*. https://securityaffairs.com/190623/hacking/cve-2026-39987-marimo-rce-exploited-in-hours-after-disclosure.html
Original Source
SecurityAffairs
Read original →