Marimo pre-authenticated RCE exploited (CVE-2026-39987)
Vulnerability
Summary
Hide ▲
Show ▼
Marimo's CVE-2026-39987 now exposes internet-facing /terminal/ws instances to unauthenticated remote code execution, creating a path to a full PTY shell on affected servers. The flaw affects all versions prior to and including 0.20.4 and was fixed in 0.23.0. Sysdig observed exploitation within 10 hours of public disclosure, showing how quickly the vulnerability was weaponized.
Cases
Related Happenings
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation Wave
First: 04.05.2026 11:25
Last: 04.05.2026 11:25
Sources 1
About this happening:
Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
Campaign
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
CampaignAbout this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Marimo CVE-2026-39987 exploitation wave
Exploitation Wave
First: 12.04.2026 17:20
Last: 12.04.2026 17:20
Sources 1
How related:
Within the first 12 hours after the vulnerability details were disclosed, 125 IP addresses began reconnaissance activity, according to Sysdig.
About this happening:
**Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...
Marimo CVE-2026-39987 exploitation wave
Exploitation WaveHow related: Within the first 12 hours after the vulnerability details were disclosed, 125 IP addresses began reconnaissance activity, according to Sysdig.
About this happening: **Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...
Langflow CVE-2026-33017 exploitation wave
Exploitation Wave
First: 20.03.2026 12:20
Last: 20.03.2026 12:20
Sources 1
About this happening:
**CVE-2026-33017** in **Langflow** is being exploited in a fast-moving **early wave** that surfaced within **20 hours** of the advisory, putting exposed instances at immediate ris...
Langflow CVE-2026-33017 exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-33017** in **Langflow** is being exploited in a fast-moving **early wave** that surfaced within **20 hours** of the advisory, putting exposed instances at immediate ris...
CISA KEV listing for Wing FTP CVE-2025-47813
Public Sector Action
First: 17.03.2026 07:23
Last: 17.03.2026 07:23
Sources 1
About this happening:
CISA added **CVE-2025-47813** in **Wing FTP Server** to the **KEV catalog** after evidence of **active exploitation**, putting the flaw under formal government tracking. The listi...
CISA KEV listing for Wing FTP CVE-2025-47813
Public Sector ActionAbout this happening: CISA added **CVE-2025-47813** in **Wing FTP Server** to the **KEV catalog** after evidence of **active exploitation**, putting the flaw under formal government tracking. The listi...
Timeline
-
10.04.2026 10:37 2 articles · 1mo ago
Marimo discloses CVE-2026-39987 and early exploitation is observed
Initial DisclosureMarimo identified CVE-2026-39987 as a CVSS 9.3 pre-authenticated remote code execution flaw in the /terminal/ws WebSocket endpoint, affecting all versions prior to and including 0.20.4 and fixed in 0.23.0; Sysdig then observed exploitation shortly after public disclosure, including a full PTY shell, manual reconnaissance, attempts to harvest .env data and SSH keys, and no proof-of-concept code available at the time.
Show sources
- Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure — thehackernews.com — 10.04.2026 10:37
- Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face — www.bleepingcomputer.com — 16.04.2026 19:58