CRITICAL 2 min read 14 Apr 2026

Marimo — CVE-2026-39987 Pre-Auth RCE

Marimo notebook's /terminal/ws endpoint allows unauthenticated WebSocket connections granting PTY shell access, with active exploitation confirmed within 10 hours of disclosure. UK research and healthcare-relevant environments with exposed notebook services face immediate risk.

Key findings
01
Pre-Auth Shell Access via WebSocket Endpoint
HIGH
[High] Confidence: High Marimo, an open-source Python notebook platform, contains a critical vulnerability in its /terminal/ws endpoint. This WebSocket interface accepts unauthenticated connections and hands attackers full PTY shell access.
02
Command Injection in Totolink A7100RU Routers
CRITICAL
[High] Confidence: High Four newly disclosed command-injection vulnerabilities (CVE-2026-6131, CVE-2026-6138, CVE-2026-6139, CVE-2026-6140) affect Totolink A7100RU router firmware, each scoring CVSS 9.8. These flaws include unauthenticated vectors with public exploit availability.
CVE-2026-6131
03
Buffer Overflow in Tenda F451 Routers
HIGH
[High] Confidence: High Tenda F451 routers are affected by buffer overflow vulnerabilities (CVE-2026-6134, CVE-2026-6136) with CVSS 8.8 ratings. Management endpoints appear remotely exploitable with disclosed proof-of-concept code.
CVE-2026-6134
04
Malicious npm Package Cluster Targeting Databases
HIGH
[Medium] Confidence: Medium A cluster of 36 malicious npm packages has been identified targeting Redis and PostgreSQL credential theft alongside cryptominer deployment. The packages use post-install scripts to harvest database credentials from environment variables and configuration files.
05
Update: Adobe Acrobat/Reader Scoring Revision
HIGH
[High] Confidence: High CVE-2026-34621 in Adobe Acrobat/Reader has been rescored from critical to CVSS 8.6. The patch remains operationally urgent; this is a score adjustment, not a deprioritisation.
CVE-2026-34621
06
Update: Qilin Ransomware BYOVD Tradecraft Detail
HIGH
[High] Confidence: High New reporting adds specific detail to Qilin's intrusion pattern: multi-stage infection, EDR suppression via vulnerable drivers, and delayed exfiltration before encryption. This provides actionable hunting guidance for SOC teams monitoring for pre-encryption data staging.
07
Update: Cyber Essentials April 2026 Expansion
HIGH
[Medium] Confidence: Medium The Cyber Essentials April 2026 update extends beyond MFA to include an "application development" section replacing the previous "web applications" scope. Implementation timing remains 27 April 2026. This creates stronger assessment opportunities for UK-facing security providers.

Marimo — CVE-2026-39987 Pre-Auth RCE

Pre-Auth Shell Access via WebSocket Endpoint

Confidence: High

Marimo, an open-source Python notebook platform, contains a critical vulnerability in its /terminal/ws endpoint. This WebSocket interface accepts unauthenticated connections and hands attackers full PTY shell access. This flaw offers a direct route from exposed notebook service to shell compromise. No authentication bypass needed. Exploitation was confirmed within 10 hours of disclosure. UK research institutions, data science teams, and NHS-adjacent healthcare analytics environments are particularly exposed due to widespread notebook deployment.

Command Injection in Totolink A7100RU Routers

Confidence: High

Four newly disclosed command-injection vulnerabilities (CVE-2026-6131, CVE-2026-6138, CVE-2026-6139, CVE-2026-6140) affect Totolink A7100RU router firmware, each scoring CVSS 9.8. These flaws include unauthenticated vectors with public exploit availability. SMEs and remote-worker environments deploying these routers should prioritise firmware updates or device replacement. The presence of public exploits raises the immediate risk profile for any externally accessible management interfaces.

Buffer Overflow in Tenda F451 Routers

Confidence: High

Tenda F451 routers are affected by buffer overflow vulnerabilities (CVE-2026-6134, CVE-2026-6136) with CVSS 8.8 ratings. Management endpoints appear remotely exploitable with disclosed proof-of-concept code. This extends the consumer and SME router risk pattern from Totolink to a second vendor. Security teams conducting router posture reviews should include Tenda F451 models in their discovery and assessment scopes.

Malicious npm Package Cluster Targeting Databases

Confidence: Medium

A cluster of 36 malicious npm packages has been identified targeting Redis and PostgreSQL credential theft alongside cryptominer deployment. The packages use post-install scripts to harvest database credentials from environment variables and configuration files. This supply-chain vector is a particular risk to Node.js-heavy estates with automated dependency installation. Evidence for this finding comes from single-source reporting; organisations should verify npm package integrity and audit recent installations.

Update: Adobe Acrobat/Reader Scoring Revision

Confidence: High

CVE-2026-34621 in Adobe Acrobat/Reader has been rescored from critical to CVSS 8.6. The patch remains operationally urgent; this is a score adjustment, not a deprioritisation.

Update: Qilin Ransomware BYOVD Tradecraft Detail

Confidence: High

New reporting adds specific detail to Qilin's intrusion pattern: multi-stage infection, EDR suppression via vulnerable drivers, and delayed exfiltration before encryption. This provides actionable hunting guidance for SOC teams monitoring for pre-encryption data staging.

Update: Cyber Essentials April 2026 Expansion

Confidence: Medium

The Cyber Essentials April 2026 update extends beyond MFA to include an "application development" section replacing the previous "web applications" scope. Implementation timing remains 27 April 2026. This creates stronger assessment opportunities for UK-facing security providers.

Why This Matters

The Marimo vulnerability exposes a growing attack surface: developer and data-science tooling on the internet without adequate authentication boundaries. Pre-auth shell access via WebSocket bypasses traditional network security assumptions. Combined with sustained router exploitation (Totolink, Tenda), today's findings confirm edge devices and non-traditional infrastructure as prime targets. The CVE-2026-39987 active exploitation timeline — 10 hours from disclosure — demands immediate posture verification.

  • Recommended Actions
  • Upgrade Marimo immediately: Update to version 0.23.0 or later; restrict /terminal/ws endpoint access to authenticated users only
  • Audit notebook exposure: Identify internet-accessible Marimo or similar notebook services; relocate to VPN-protected or authentication-gated networks
  • Patch or replace Totolink/Tenda routers: Apply latest firmware if available; consider replacement if patches unavailable or devices end-of-life
  • Review npm dependencies: Audit Node.js estates for suspicious post-install scripts and unusual database credential access
  • Maintain Adobe patching urgency: Rapid deployment of APSB26-43 remains operationally critical despite score revision
  • Update Qilin hunting rules: Incorporate new BYOVD and delayed-exfiltration indicators into detection playbooks

All findings grounded in A13E intelligence sweeps through 04:30 UTC 14 April 2026.

active-exploitationcve-2026-34621cve-2026-39987cve-2026-6131cve-2026-6134marimorcewebsocket

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed