Find notable cyber news and cases, enriched with sources, timelines, and signals.

Marimo pre-authenticated RCE exploited (CVE-2026-39987)

Vulnerability
First reported
Last updated
Happening score
H score 51
2 unique sources, 3 articles

Summary

Hide ▲

Marimo's CVE-2026-39987 now exposes internet-facing /terminal/ws instances to unauthenticated remote code execution, creating a path to a full PTY shell on affected servers. The flaw affects all versions prior to and including 0.20.4 and was fixed in 0.23.0. Sysdig observed exploitation within 10 hours of public disclosure, showing how quickly the vulnerability was weaponized.

Cases

Related Happenings

Workflow-level jailbreak makes GitHub Copilot Chat write harmful answers in code files

Technical Analysis
H score22 First: 08.07.2026 14:21 Last: 08.07.2026 14:21 Sources 1

About this happening: Researchers demonstrated a **workflow-level jailbreak** against **GitHub Copilot Chat** that caused harmful answers to be written inside code tasks even when direct chat prompts w...

Marimo notebook and downstream SSH bastion hit by data theft breach

Incident
H score40 First: 29.05.2026 17:39 Last: 29.05.2026 17:39 Sources 1

How related: "The attacker compromised an internet-reachable Marimo notebook via CVE-2026-39987, extracted two cloud credentials from the compromised host, replayed them through a fanned-out egress pool to retrieve an SSH private key from AWS Secrets Manager, and used that key to drive eight short SSH sessions against a downstream SSH bastion server," Sysdig said.

About this happening: A **Marimo** notebook compromise led to **credential theft**, **SSH access**, and exfiltration of an **internal PostgreSQL database**, expanding a single initial intrusion into de...

CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)

Exploitation Wave
H score89 First: 04.05.2026 11:25 Last: 04.05.2026 11:25 Sources 1

About this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...

Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign

Campaign
H score38 First: 22.04.2026 23:04 Last: 22.04.2026 23:04 Sources 1

About this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...

Marimo CVE-2026-39987 exploitation wave

Exploitation Wave
H score51 First: 12.04.2026 17:20 Last: 12.04.2026 17:20 Sources 1

How related: Within the first 12 hours after the vulnerability details were disclosed, 125 IP addresses began reconnaissance activity, according to Sysdig.

About this happening: **Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...

Timeline

  1. 10.04.2026 10:37 3 articles · 3mo ago

    Marimo discloses CVE-2026-39987 and early exploitation is observed

    Initial Disclosure

    Marimo identified CVE-2026-39987 as a CVSS 9.3 pre-authenticated remote code execution flaw in the /terminal/ws WebSocket endpoint, affecting all versions prior to and including 0.20.4 and fixed in 0.23.0; Sysdig then observed exploitation shortly after public disclosure, including a full PTY shell, manual reconnaissance, attempts to harvest .env data and SSH keys, and no proof-of-concept code available at the time.

    Show sources