Zero-day 'exploitarium' dump hits libssh2, Gitea with live exploits

Key Takeaways

• An anonymous researcher dumped exploit code for 15 products without notifying vendors, with at least two vulnerabilities already being exploited in the wild
• CVE-2026-55200 affects libssh2 with pre-auth remote code execution; CVE-2026-20896 allows full Gitea server takeover
• Security analysts suggest the vulnerabilities were discovered using GPT-5.5 Codex for automated fuzzing, signaling a shift in how zero-days are found

An anonymous security researcher dumped working exploit code for zero-day vulnerabilities across 15 software products, and attackers are already exploiting at least two of them. The researcher, who goes by bikini, published the code in a now-removed GitHub repository called 'exploitarium' without notifying any vendors first.

The two confirmed active exploits target critical infrastructure: libssh2, a widely deployed SSH library, and Gitea, a popular self-hosted Git server. Both vulnerabilities allow unauthenticated remote attackers to compromise systems completely.

What are the exploited vulnerabilities?

CVE-2026-55200 is a pre-authentication remote code execution flaw in libssh2. Attackers can send crafted SSH packets with oversized packet_length values to corrupt heap memory. Because libssh2 is a client-side C library used by curl, Git, and thousands of other applications, the blast radius is enormous. Maintainers have merged a fix into the development branch but haven't cut a release yet.

CVE-2026-20896 is an authentication bypass in self-hosted Gitea Docker deployments. Remote attackers can impersonate any user and take full control of the Git server without credentials. Gitea fixed this in version 1.26.3.

Bikini's dump also included purported vulnerabilities in Splunk, RustDesk, 7-Zip, VLC, AnyDesk, OpenVPN, c-ares, and Floci. The Register notes it has not verified these claims or tested whether the code works.

Why did the researcher bypass responsible disclosure?

In a screenshot posted by Ledger CTO Charles Guillemet, bikini wrote: "Feel free to report them yourself and take credit for the CVE if handed out lulz. Please do not abuse these. I do this so to allure people into the field."

The motivation appears to be notoriety and recruitment rather than vendor grievance. This distinguishes bikini from Nightmare Eclipse, another anonymous researcher who has been publishing Microsoft exploits over the past few months, apparently out of frustration with Microsoft's handling of vulnerability disclosures.

Did AI find these vulnerabilities?

Federal Signal analyst Ethan Andrews suggested bikini used GPT-5.5 Codex to automate fuzzing and vulnerability discovery. If true, this represents a significant shift. Historically, finding exploitable zero-days required deep manual analysis. AI-assisted fuzzing could dramatically increase the volume of vulnerabilities discovered, and not all discoverers will follow responsible disclosure.

Andrews built 44 KQL detection rules covering the full exploitarium repo, with translations available for non-KQL stacks. He noted that the libssh2 and Gitea vulnerabilities "have been independently verified as high-risk with active exploitation observed," while some other disclosures "have been dismissed by the community as low-impact AI-fuzzing noise."

What should security teams do now?

GitHub removed the exploitarium repository, but the code has already spread. Assume attackers have it. The immediate priorities are patching Gitea to 1.26.3 and monitoring for the libssh2 release.

For libssh2, the situation is messier. The fix is merged but not released. Organizations running applications that depend on libssh2 should inventory their exposure and prepare to patch the moment a release drops. In the meantime, network-level controls that limit SSH access to trusted sources offer partial mitigation.

Andrews' detection rules are worth deploying for organizations with KQL-compatible SIEM platforms. The rules provide coverage while patches roll out.

The broader pattern

Bikini is the second anonymous researcher in recent months to dump Microsoft-adjacent exploits publicly. Nightmare Eclipse has been doing the same, apparently motivated by perceived mistreatment. Whether these are the same person, a coordinated group, or unrelated actors riding the same trend isn't clear.

What is clear: the summer of 2026 is shaping up badly for security teams. AI is finding vulnerabilities faster than humans can patch them, and some researchers have decided that responsible disclosure is optional.

Frequently Asked Questions

What is the exploitarium GitHub repository?

Exploitarium was a now-removed GitHub repo where anonymous researcher 'bikini' published working exploit code for zero-day vulnerabilities in 15 products including libssh2, Gitea, Splunk, and VLC without notifying vendors first.

Is CVE-2026-55200 being actively exploited?

Yes. Security researchers have observed active exploitation of this libssh2 pre-authentication remote code execution vulnerability in the wild.

How do I patch the Gitea authentication bypass?

Update to Gitea version 1.26.3 or later, which contains the fix for CVE-2026-20896.

Did AI discover these zero-day vulnerabilities?

Analysts suggest bikini used GPT-5.5 Codex to automate fuzzing and vulnerability discovery, though this has not been confirmed.

Where can I find detection rules for exploitarium vulnerabilities?

Federal Signal analyst Ethan Andrews published 44 KQL detection rules covering the exploitarium repo, with translations for non-KQL platforms.

Source: www.theregister.com