Marimo CVE-2026-39987 exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
Marimo exploitation activity surged within 12 hours of disclosure, with 125 IP addresses beginning reconnaissance against CVE-2026-39987 and the /terminal/ws exposure, raising the risk of rapid follow-on compromise. The wave quickly escalated into a credential theft operation that sought shell access and .env secrets. The activity matters because the flaw enables unauthenticated remote code execution on Marimo versions 0.20.4 and earlier. It also shows how quickly newly disclosed internet-facing weaknesses can draw broad probing and hands-on abuse.
Cases
Related Happenings
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation Wave
First: 17.05.2026 14:57
Last: 17.05.2026 14:57
Sources 1
About this happening:
**openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation WaveAbout this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation Wave
First: 04.05.2026 11:25
Last: 04.05.2026 11:25
Sources 1
About this happening:
Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
Tropic Trooper trojanized SumatraPDF remote-access campaign
Campaign
First: 24.04.2026 12:29
Last: 24.04.2026 12:29
Sources 1
About this happening:
**Tropic Trooper** is running an active **campaign** that uses a **trojanized SumatraPDF** lure to plant **AdaptixC2 Beacon** and later abuse **VS Code tunnels** for remote access...
Tropic Trooper trojanized SumatraPDF remote-access campaign
CampaignAbout this happening: **Tropic Trooper** is running an active **campaign** that uses a **trojanized SumatraPDF** lure to plant **AdaptixC2 Beacon** and later abuse **VS Code tunnels** for remote access...
LMDeploy SSRF flaw (CVE-2026-33626, actively exploited)
Vulnerability
First: 24.04.2026 10:24
Last: 24.04.2026 10:24
Sources 1
About this happening:
**LMDeploy CVE-2026-33626** is being **actively exploited** within **13 hours** of disclosure, turning a **vision-language SSRF flaw** into a path to **cloud credentials** and **i...
LMDeploy SSRF flaw (CVE-2026-33626, actively exploited)
VulnerabilityAbout this happening: **LMDeploy CVE-2026-33626** is being **actively exploited** within **13 hours** of disclosure, turning a **vision-language SSRF flaw** into a path to **cloud credentials** and **i...
TP-Link router authenticated command injection (CVE-2023-33538)
Vulnerability
First: 20.04.2026 10:50
Last: 20.04.2026 10:50
Sources 1
About this happening:
**CVE-2023-33538** in **discontinued TP-Link routers** is still being probed, leaving exposed devices at risk of **arbitrary command execution** and **denial of service** if attac...
TP-Link router authenticated command injection (CVE-2023-33538)
VulnerabilityAbout this happening: **CVE-2023-33538** in **discontinued TP-Link routers** is still being probed, leaving exposed devices at risk of **arbitrary command execution** and **denial of service** if attac...
Timeline
-
12.04.2026 17:20 2 articles · 1mo ago
Marimo discloses CVE-2026-39987
Initial DisclosureMarimo publicly disclosed CVE-2026-39987, a pre-authentication remote code execution flaw in versions 0.20.4 and earlier caused by the '/terminal/ws' WebSocket endpoint exposing an interactive terminal without proper authentication checks, affecting deployments exposed in edit mode or on a shared network.
Show sources
- Critical Marimo pre-auth RCE flaw now under active exploitation — www.bleepingcomputer.com — 12.04.2026 17:20
- Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face — www.bleepingcomputer.com — 16.04.2026 19:58
-
12.04.2026 17:20 1 articles · 1mo ago
Marimo releases version 0.23.0 to fix CVE-2026-39987
Mitigation Patch UpdateMarimo released version 0.23.0 to address CVE-2026-39987 and advised users to upgrade immediately; if upgrading is not possible, external access to '/terminal/ws' should be blocked or disabled and exposed secrets should be rotated.
Show sources
- Critical Marimo pre-auth RCE flaw now under active exploitation — www.bleepingcomputer.com — 12.04.2026 17:20
-
12.04.2026 03:00 1 articles · 1mo ago
Sysdig reports hands-on exploitation and credential theft
Technical Analysis UpdateSysdig researchers reported active exploitation that began less than 10 hours after disclosure, with 125 IP addresses starting reconnaissance within the first 12 hours. The first exploitation attempt validated remote code execution at '/terminal/ws', then continued with manual reconnaissance using pwd, whoami, and ls before targeting .env files, cloud credentials, application secrets, and SSH keys; the credential access phase finished in less than three minutes and no persistence was attempted.
Show sources
- Critical Marimo pre-auth RCE flaw now under active exploitation — www.bleepingcomputer.com — 12.04.2026 17:20