A critical vulnerability in Marimo, CVE-2026-39987 (CVSS 9.3), was disclosed by the project maintainers, who described an unauthenticated remote code execution flaw in the terminal WebSocket endpoint. Within nine hours, a threat actor built an exploit from the advisory and began using it in the wild, with exploitation observed 9 hours and 41 minutes after the advisory was published according to Sysdig.
The firm notes that exploitation came from a single IP address, while another 125 addresses were involved in reconnaissance activities such as port scanning and HTTP probing, and credential-containing files were exfiltrated during a brief three-minute operation. The attacker connected to the vulnerable terminal endpoint, performed manual reconnaissance, and attempted to read files and SSH keys, all reported to have finished within three minutes. Security guidance urges users to update Marimo to version 0.23.0 or newer, which includes patches for the bug.