CVE-2026-39987 is an unauthenticated pre-auth RCE in the Marimo open-source reactive Python notebook with a CVSS of 9.8 — the highest-scored CVE in this rollup — and was reported as actively exploited within approximately 10 hours of public disclosure by Sysdig. Any internet-exposed Marimo server instance is at risk of full host compromise via a single crafted HTTP request with no credentials required; organizations should immediately place all Marimo instances behind a VPN or firewall and verify the patched version against the official Marimo GitHub releases and NVD before deploying. Specific affected and patched version ranges must be confirmed at https://nvd.nist.gov/vuln/detail/CVE-2026-39987 and the Marimo GitHub releases page before remediation is deployed.