RSS

Anonymous researcher drops 0-day 'exploitarium' repo

logickkk11 pts0 comments

Anonymous researcher drops 0-day 'exploitarium' repo

Jump to main content

Search

REG AD

Security

Anonymous researcher drops 0-day 'exploitarium' repo

At least two vulnerabilities are already under attack

Jessica Lyons

Jessica<br>Lyons

Published<br>mon 29 Jun 2026 // 21:29 UTC

Not everyone is willing to follow responsible disclosure of vulns. An anonymous researcher has dumped what they say is working exploit code for zero-day vulnerabilities across 15 software products and open source projects without notifying any vendors or maintainers prior to publishing - and attackers are already exploiting at least two of these.<br>The first is CVE-2026-55200, a critical, pre-authentication remote code execution (RCE) vulnerability in libssh2, a popular client-side C library that implements the SSH2 protocol. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.<br>A fix has been merged into the libssh2 mainline development source control branch, and maintainers are still preparing a libssh2 release containing the patch.

REG AD

The second is CVE-2026-20896, a critical authentication bypass vulnerability affecting self-hosted Gitea Docker deployments that allows unauthenticated remote attackers to impersonate any user and fully take over the Git server. It’s fixed in Gitea 1.26.3.

REG AD

The researcher, who goes by bikini, dropped the exploit code and vulnerability write-ups in a now-removed GitHub repository called exploitarium. They remind us of Nightmare Eclipse - the zero-day bug hunter who has been publishing Microsoft exploits over the past couple of months.<br>Unlike Nightmare Eclipse, however, bikini doesn’t appear to hold a grudge against any one vendor, publishing purported vulnerabilities across multiple products and projects including libssh2, Splunk, RustDesk, 7-Zip, VLC, AnyDesk, OpenVPN, c-ares, Gitea, and Floci.<br>Bikini claimed - and, to be clear, The Register has not verified these claims or that the code works - that none of the exploits in the repo have been reported.<br>“Feel free to report them yourself and take credit for the CVE if handed out lulz,” the anonymous researcher wrote, as shown in this screenshot posted on X by Ledger CTO Charles Guillemet. “Please do not abuse these. I do this so to allure people into the field.”

MORE CONTEXT

Microsoft's worst 'Nightmare' unleashes BitLocker bypass 0-day

Another bug hunter leaks Microsoft exploits in defiance of company’s handling of vulnerability disclosures

Disgruntled 0-day hunter 'humiliated' by Microsoft pledges 'bone shattering drop' as Redmond calls cops

It's looking like a hot, messy summer for security teams as AI finds countless previously hidden vulns

Other researchers, including Federal Signal analyst Ethan Andrews, suggested that bikini used advanced AI models - specifically GPT-5.5 Codex - to automate fuzzing and vulnerability discovery, in yet another indication that the AI-induced vulnpocalypse is nigh.<br>In response to bikini’s data dump, Andrews built 44 KQL detection rules covering the full exploitarium repo with language translation available for non-KQL stacks.<br>“The most technically significant findings - libssh2 pre-auth heap write and Gitea default Docker auth bypass - have been independently verified as high-risk with active exploitation observed,” Andrews wrote, noting that some of the exploitarium disclosures “have been dismissed by the community as low-impact AI-fuzzing noise.”<br>While the repository has since been removed by GitHub, nothing ever truly dies on the internet, and it’s safe to assume that attackers are now also using AI to scan for vulnerable instances. In many cases, bikini’s PoCs mean they don’t even have to spend time developing an exploit. ®

security<br>cyber-crime

REG AD

virtualization

Microsoft previews Linux containers that run in Windows

Linux container CLI and API for Windows applications

What the OCI MSA didn't solve for AI scaling

PARTNER CONTENT: The OCI MSA settled the architecture for optical scale-up. How fast bandwidth scales is a manufacturing question, not an architectural one

ZTE released all-in-one FTTR-B solution for SME AI and connectivity at MWC Shanghai 2026

PARTNER CONTENT: Supporting on-premise local AI large model operation, the solution cuts cloud costs and secures sensitive corporate data for SMEs

Personal Tech

Arm64 on the desktop? It’s spendy and it’s sluggish

Even with lots of RAM, GPU, and fast disks, you probably don’t want it

columnists

Telling internet platforms where to stick public service media will serve nobody. Turn it on its head

Show not tell makes a far finer script

Applications

UK regulator wants Apple and Google to let devs steer clear of app store fees

Proposals could open cheaper routes for purchases made through third parties

MOST POPULAR

systems

Micron locks in historically high memory prices for five years

Channel

Infosys boss says vibe coding is no...

researcher exploitarium bikini anonymous repo code

Related Articles

(no title)

Risse50 ptstitle

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

The labor share of income in the US is at its lowest post-war level

loughnane15 ptsfinancial labor share york securities central
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.