A critical security vulnerability in Marimo, an open-source Python notebook for data science and analysis, has been actively exploited within just 10 hours of public disclosure, highlighting the growing speed of weaponization in the modern threat landscape.<\/p>\n
CVE-2026-39987 is a Remote Code Execution (RCE) vulnerability affecting Marimo versions prior to 0.8.12. The flaw exists in the notebook’s cell execution engine, allowing an attacker to craft a malicious notebook file that executes arbitrary code on the host system when opened.<\/p>\n
The vulnerability stems from:<\/p>\n
CVSS Score: 9.8 Critical<\/strong> (AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H)<\/p>\n Data science teams and research environments using shared Marimo notebooks are at highest risk. Exploitation can lead to complete host compromise, data exfiltration, and lateral movement within research networks.<\/p>\n Written by Tarang Parmar (CEH) \u2014 TheCyberSecurity.Network. Read time: 4 min.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" A critical security vulnerability in Marimo, an open-source Python notebook for data science and analysis, has been actively exploited within just 10 hours of public disclosure.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[42],"tags":[37,11,14,13,12,35],"class_list":["post-96","post","type-post","status-publish","format-standard","hentry","category-vulnerability","tag-critical","tag-cve202639987","tag-marimo","tag-python","tag-rce","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/posts\/96","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/comments?post=96"}],"version-history":[{"count":1,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/posts\/96\/revisions"}],"predecessor-version":[{"id":108,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/posts\/96\/revisions\/108"}],"wp:attachment":[{"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/media?parent=96"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/categories?post=96"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecybersecurity.network\/blog\/wp-json\/wp\/v2\/tags?post=96"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Impact Assessment<\/h2>\n
Affected Versions<\/h2>\n
\n
Recommended Mitigations<\/h2>\n
\n
pip install --upgrade marimo<\/code><\/li>\n