Marimo, an open-source reactive Python notebook platform, is affected by a critical pre-authentication remote code execution vulnerability (CVE-2026-39987, CVSS 9.8) chaining missing authentication (CWE-306) with code injection (CWE-94), enabling full host compromise with a single unauthenticated HTTP request. Active exploitation was reported approximately 10 hours after public disclosure, and CISA KEV designation should be monitored given confirmed in-the-wild activity. Any Marimo instance accessible from untrusted networks should be taken offline or isolated immediately; the specific affected version range and patched release must be confirmed at nvd.nist.gov/vuln/detail/CVE-2026-39987 and the official Marimo GitHub advisory before applying the patch.