An anonymous researcher has publicly disclosed exploit code for several zero-day vulnerabilities affecting 15 different software products and open-source projects. This release occurred without prior notification to the respective vendors or maintainers, leading to immediate exploitation of at least two of the vulnerabilities.
Confirmed Vulnerabilities and Exploits
The first confirmed vulnerability is CVE-2026-55200, which is a critical pre-authentication remote code execution (RCE) flaw in libssh2. This vulnerability allows remote attackers to send specially crafted SSH packets with excessively large packet_length values, potentially leading to heap memory corruption and remote code execution. A fix has been merged into the main development branch of libssh2, but a formal release containing the patch is still pending.
The second vulnerability, identified as CVE-2026-20896, is an authentication bypass issue affecting self-hosted Gitea Docker deployments. This flaw permits unauthenticated remote attackers to impersonate any user, thereby gaining full control over the Git server. A patch for this vulnerability is included in Gitea 1.26.3.
Details of the Exploit Repository
The researcher, who operates under the pseudonym bikini, initially published the exploit code and vulnerability descriptions in a GitHub repository named exploitarium, which has since been removed. Unlike other recent zero-day disclosures, bikini’s approach does not seem to target any specific vendor, as the vulnerabilities span multiple products, including Splunk, RustDesk, 7-Zip, VLC, AnyDesk, OpenVPN, c-ares, and Floci.
Community Response and Implications
While some community members have suggested that bikini may have utilized advanced AI models, such as GPT-5.5 Codex, for automating the discovery of these vulnerabilities, this remains unverified. In response to the exploit release, security analyst Ethan Andrews has developed 44 KQL detection rules to cover the vulnerabilities disclosed in the exploitarium repository. He noted that the most significant findings, particularly the libssh2 pre-auth heap write and the Gitea Docker authentication bypass, have been independently verified as high-risk with active exploitation observed.
Despite the removal of the repository from GitHub, the permanence of online information suggests that these exploits may still be accessible and could be leveraged by attackers, especially as AI tools continue to evolve in their capabilities.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
