Attackers began exploiting a critical vulnerability in the popular open-source Python notebook tool Marimo roughly nine hours after the bug was publicly disclosed, according to security researchers who tracked the incident in real time. The flaw, tracked as CVE-2026-39987, has sent the developer and data science community scrambling to patch affected systems.
What the Flaw Does
The vulnerability allows attackers to achieve remote code execution on machines running unpatched versions of Marimo. Because Marimo notebooks are often exposed to local networks or shared across development teams, a single compromised notebook can pivot into a full host takeover. Researchers described the exploit chain as “embarrassingly simple” once the disclosure was public.
Nine Hours to Weaponisation
Security firms tracking the exploit say they observed active attacks within nine hours of the CVE being published. That timeline is among the fastest ever recorded for an open-source tool of Marimo’s size, highlighting how quickly modern attackers can operationalise new bug details.
What Users Should Do
Marimo’s maintainers released a patched version within hours of the disclosure and urged all users to upgrade immediately. Teams running Marimo in production environments should also audit access logs for suspicious activity since the disclosure window. Security researchers stressed that responsible disclosure windows alone are no longer enough — organisations must assume that public vulnerabilities become live threats within hours.
Leave a Reply