Marimo pre-authenticated RCE exploited (CVE-2026-39987)
Vulnerability
Summary
Hide ▲
Show ▼
Marimo's CVE-2026-39987 now exposes internet-facing /terminal/ws instances to unauthenticated remote code execution, creating a path to a full PTY shell on affected servers. The flaw affects all versions prior to and including 0.20.4 and was fixed in 0.23.0. Sysdig observed exploitation within 10 hours of public disclosure, showing how quickly the vulnerability was weaponized.
Cases
Related Happenings
Workflow-level jailbreak makes GitHub Copilot Chat write harmful answers in code files
Technical Analysis
H score22
First: 08.07.2026 14:21
Last: 08.07.2026 14:21
Sources 1
About this happening:
Researchers demonstrated a **workflow-level jailbreak** against **GitHub Copilot Chat** that caused harmful answers to be written inside code tasks even when direct chat prompts w...
Workflow-level jailbreak makes GitHub Copilot Chat write harmful answers in code files
Technical AnalysisAbout this happening: Researchers demonstrated a **workflow-level jailbreak** against **GitHub Copilot Chat** that caused harmful answers to be written inside code tasks even when direct chat prompts w...
Marimo notebook and downstream SSH bastion hit by data theft breach
Incident
H score40
First: 29.05.2026 17:39
Last: 29.05.2026 17:39
Sources 1
How related:
"The attacker compromised an internet-reachable Marimo notebook via CVE-2026-39987, extracted two cloud credentials from the compromised host, replayed them through a fanned-out egress pool to retrieve an SSH private key from AWS Secrets Manager, and used that key to drive eight short SSH sessions against a downstream SSH bastion server," Sysdig said.
About this happening:
A **Marimo** notebook compromise led to **credential theft**, **SSH access**, and exfiltration of an **internal PostgreSQL database**, expanding a single initial intrusion into de...
Marimo notebook and downstream SSH bastion hit by data theft breach
IncidentHow related: "The attacker compromised an internet-reachable Marimo notebook via CVE-2026-39987, extracted two cloud credentials from the compromised host, replayed them through a fanned-out egress pool to retrieve an SSH private key from AWS Secrets Manager, and used that key to drive eight short SSH sessions against a downstream SSH bastion server," Sysdig said.
About this happening: A **Marimo** notebook compromise led to **credential theft**, **SSH access**, and exfiltration of an **internal PostgreSQL database**, expanding a single initial intrusion into de...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation Wave
H score89
First: 04.05.2026 11:25
Last: 04.05.2026 11:25
Sources 1
About this happening:
Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
Campaign
H score38
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
CampaignAbout this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Marimo CVE-2026-39987 exploitation wave
Exploitation Wave
H score51
First: 12.04.2026 17:20
Last: 12.04.2026 17:20
Sources 1
How related:
Within the first 12 hours after the vulnerability details were disclosed, 125 IP addresses began reconnaissance activity, according to Sysdig.
About this happening:
**Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...
Marimo CVE-2026-39987 exploitation wave
Exploitation WaveHow related: Within the first 12 hours after the vulnerability details were disclosed, 125 IP addresses began reconnaissance activity, according to Sysdig.
About this happening: **Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...
Timeline
-
10.04.2026 10:37 3 articles · 3mo ago
Marimo discloses CVE-2026-39987 and early exploitation is observed
Initial DisclosureMarimo identified CVE-2026-39987 as a CVSS 9.3 pre-authenticated remote code execution flaw in the /terminal/ws WebSocket endpoint, affecting all versions prior to and including 0.20.4 and fixed in 0.23.0; Sysdig then observed exploitation shortly after public disclosure, including a full PTY shell, manual reconnaissance, attempts to harvest .env data and SSH keys, and no proof-of-concept code available at the time.
Show sources
- Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure — thehackernews.com — 10.04.2026 10:37
- Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face — www.bleepingcomputer.com — 16.04.2026 19:58
- Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit — thehackernews.com — 29.05.2026 17:39