🚨 Pre-Auth RCE vuln tagged as CVE-2026-39987 (CVSS 9.3) seeing active exploitation in the wild as reported by Vulncheck and Bleeping Computer.

Passively scan infrastructure to find potentially vulnerable instances:
https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-39987.yaml

An unauthenticated attacker can obtain a full interactive root shell on the server via a single WebSocket connection. No user interaction or authentication token is required, even when authentication is enabled on the marimo instance
https://github.com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xc