Marimo carries a single critical pre-authentication RCE vulnerability (CVE-2026-39987, CVSS 9.8) that requires no credentials and achieves root-level code execution with a single HTTP request. Active exploitation was confirmed in the wild within 10 hours of public disclosure, making this the most operationally urgent item in this rollup. Immediate action is required: remove internet-facing exposure, audit hosts for compromise indicators, and apply the vendor-confirmed patch once version details are confirmed via NVD and Marimo’s official release channel.