www.it-connect.fr
Exploitarium: Researcher Exposes Zero-Day Flaws in 15 Open Source Projects
An anonymous researcher has suddenly published on GitHub exploit code for zero-day flaws affecting 15 open source software projects. The problem: nobody was warned, which is reminiscent of another researcher’s behavior with Microsoft... At least two of the disclosed vulnerabilities are reportedly already being exploited. Here’s what we know.
Table of Contents
An Exploitarium repository dropped without warning anyone
A researcher using the alias bikini has uploaded a GitHub repository called Exploitarium, bringing together exploit code and vulnerability reports that directly affect 15 open source software projects. Among the targets mentioned are libssh2, Splunk, RustDesk, 7-Zip, VLC, AnyDesk, OpenVPN, c-ares, Gitea, and Floci.
The common thread across all of these flaws? No vendor was reportedly notified before publication. This is a wild, and above all irresponsible, disclosure. Here is what was written on the GitHub repository (now deleted): "A single archive containing public exploit PoCs and vulnerability research reports. At the time I am publishing this information, none has been reported yet. Feel free to report them yourself and claim the CVE credit if one is assigned, just for fun."
I do not know whether the exploit codes (PoCs) for these vulnerabilities are functional, but this researcher’s behavior is not an isolated case. In fact, this method echoes that of Nightmare Eclipse, a researcher who recently made headlines by publishing flaws targeting Windows, to the point that Microsoft ended up deleting his GitHub account. That did not stop him, a few days later, from publishing another flaw: RoguePlanet, just after the June patches. However, bikini does not seem to be settling scores with any particular vendor; he simply appears to want to expose all of us by disclosing vulnerabilities in popular solutions.
For his part, Ethan Andrews, an analyst at Federal Signal, believes the researcher may have used an advanced model (he mentions GPT-5.5 Codex) to automate fuzzing and vulnerability discovery. A plausible scenario, and one that fits an already documented trend: the explosion in CVEs driven by AI across the software ecosystem.
Two flaws already exploited: libssh2 and Gitea
While part of the repository is being disputed, two vulnerabilities stand out because they are reportedly already the subject of attacks. These are flaws in the libssh2 library and in Gitea:
- CVE-2026-55200, a critical pre-authentication remote code execution (RCE) flaw in libssh2, a C client-side library implementing the SSH2 protocol. A remote attacker can send specially crafted SSH packets with an excessively large
packet_lengthvalue in order to corrupt heap memory and execute code. A patch has been merged into the main development branch of libssh2, but maintainers are reportedly still preparing a stable release that includes it. - CVE-2026-20896, a critical authentication bypass flaw affecting self-hosted Gitea deployments running under Docker. It allows an unauthenticated remote attacker to impersonate any user account and gain full control of the Git server. It was fixed in Gitea 1.26.3.
For Ethan Andrews, who published 44 KQL detection rules covering the entire repository (for Microsoft Defender and Sentinel), these are precisely the two findings that deserve special attention: "The most technically significant results — the pre-authentication memory write in libssh2 and Gitea's default Docker authentication bypass — were independently verified as high risk, with active exploitation observed."
What about responsible disclosure?
Beyond the two confirmed flaws, the disclosure method itself is what raises questions. When a researcher publishes a proof of concept without warning the vendor, defenders and attackers discover the flaw at the same time: the advantage is very often on the attackers' side, especially when no patch is available. This is the exact opposite of coordinated disclosure, which usually gives vendors a window of several weeks to fix the issue before it is made public.
In any case, this repository would need some sorting, especially because it includes flaws that may be nothing more than noise generated by AI-assisted automated fuzzing and are unlikely to be exploitable in practice. It is no secret: automation with AI lowers the barrier to entry for vulnerability research, but it also increases the noise level, multiplying the number of false positives that must be filtered out.
