Exploitarium: anonymous github dump leaks 130+ zero-days
An anonymous researcher released a massive repository of working zero-day exploits without vendor notification, putting 15 software products at risk.
The cybersecurity community is on high alert following the release of a GitHub repository named "exploitarium", managed by an anonymous user known as "bikini". Deviating from standard responsible disclosure practices, the author published working exploit code for zero-day vulnerabilities affecting 15 different software products and open-source projects without prior notification to vendors or maintainers.
As reported by The Register, at least two of these flaws are already being actively exploited. Among the most critical is CVE-2026-55200, a pre-authentication Remote Code Execution (RCE) vulnerability in libssh2, a popular C library for the SSH2 protocol. The exploit allows remote attackers to send crafted SSH packets with excessively large packet_length values, leading to heap memory corruption and arbitrary code execution.
An Unfiltered Vulnerability Archive
The repository serves as a collection of Proof-of-Concept (PoC) and offensive security research. While the author frames the project as "good-faith, open-disclosure," encouraging others to report the bugs and claim CVE credit, the real-world impact is severe. Some reports suggest the dump contains over
130 exploits, with two carrying critical CVSS scores of
9.2, making them highly weaponizable today.
AI-Assisted Vulnerability Research
This incident highlights structural issues in the 2026 security landscape. According to
Onionmail, the volume of exposed vulnerabilities underscores the risks associated with AI-assisted vulnerability research, which enables individuals to find flaws at an unprecedented scale. This trend coincides with a broader industry shift toward coordinated defenses for critical open-source software.
Global Impact and Outlook
The release of functional exploits before patches are available drastically expands the attack surface for enterprises worldwide. While libssh2 maintainers have already merged a fix into the mainline development branch, the speed at which these tools are adopted by threat actors makes immediate dependency auditing and patching critical for all IT environments.
Note: AI-Generated Content: This article was created with the support of AI tools and subsequently supervised by the site curator. There may be inaccuracies or missing updates; we recommend verifying original sources before making decisions based on the content.
