Nine Hours
A critical remote code execution vulnerability in Marimo — an open-source Python notebook tool used heavily in AI and data science workflows — was weaponized by attackers roughly nine hours after public disclosure. The flaw, tracked as CVE-2026-39987, allowed unauthenticated access. Within a working day of anyone knowing about it, someone was using it.
Nine hours is not an anomaly anymore; it’s a benchmark. The window between vulnerability disclosure and active exploitation has collapsed to the point where patch cycles that assume days or weeks of safety are simply wrong. For teams running notebook environments close to model infrastructure or internal data pipelines, this particular incident is worth treating as a drill. The CVE was patched; the lesson — that developer tooling is a high-value attack surface and exposure time is measured in hours — is ongoing.