Critical Marimo Flaw Exploited Hours After Public Disclosure
Within nine hours, a hacker built an exploit from the unauthenticated bug’s advisory and started using it in the wild. The post Critical Marimo Flaw Exploited Hours After Public Disclosure appeared first on SecurityWeek.
A threat actor built an exploit for a critical-severity vulnerability in Marimo and started using it in attacks roughly nine hours after the bug’s public disclosure, cloud security firm Sysdig reports.
Marimo is an open source reactive notebook for Python designed to ensure that code, outputs, and program state remain consistent. It has approximately 20,000 stars on GitHub.
On April 8, the platform’s maintainers disclosed CVE-2026-39987 (CVSS score of 9.3), an unauthenticated remote code execution (RCE) flaw rooted in the lack of authentication validation in the terminal WebSocket endpoint.
Source: https://www.securityweek.com/critical-marimo-flaw-exploited-hours-after-public-disclosure/
Related breach coverage
- Critical Langflow Vulnerability Exploited Hours After Public Disclosure2026-03-20
Because attacker-supplied flow data is used in public flows, the bug leads to unauthenticated remote code execution. The post Critical Langflow Vulnerability Exploited Hours After Public Disclosure appeared first on SecurityWeek.
- Mirai Botnet Targets Flaw in Discontinued D-Link Routers2026-04-22
The exploitation of the command injection vulnerability started one year after public disclosure and PoC exploit code publication. The post Mirai Botnet Targets Flaw in Discontinued D-Link Routers appeared first on SecurityWeek.
- BeyondTrust Vulnerability Targeted by Hackers Within 24 Hours of PoC Release2026-02-13
Exploitation attempts target CVE-2026-1731, a critical unauthenticated remote code execution flaw in BeyondTrust Remote Support. The post BeyondTrust Vulnerability Targeted by Hackers Within 24 Hours of PoC Release appeared first on SecurityWeek.
- In Other News: Satellite Cybersecurity Act, $90K Chrome Flaw, Teen Hacker Arrested2026-04-17
Other noteworthy stories that might have slipped under the radar: ShinyHunters targets Rockstar Games, ShowDoc vulnerability exploited in the wild, and EPA to boost cybersecurity budget to $19 million. The post In Other News: Satellite Cybersecurity Act, $90K Chrome Flaw, Teen Hacker Arrested appeared first on SecurityWeek.