Anonymous researcher drops 0-day 'exploitarium' repo

An anonymous security researcher publishing under the name bikini has released what they describe as functional exploit code and technical details for zero-day vulnerabilities affecting 15 commercial programs and open source initiatives. The material appeared in a GitHub repository named exploitarium without any advance notification to the affected vendors or maintainers. Federal Signal analyst Ethan Andrews reported that at least two of the flaws are already seeing active exploitation.

Critical flaws target libssh2 and Gitea. One is CVE-2026-55200, a critical pre-authentication remote code execution flaw in libssh2, a widely used client-side C library for the SSH2 protocol. Attackers can reportedly send specially crafted SSH packets containing oversized packet_length fields that corrupt heap memory and allow arbitrary code execution. A patch has been merged into the project's main development branch, although maintainers have not yet issued a formal release.

The other tracked issue is CVE-2026-20896, a critical authentication bypass that affects self-hosted Gitea Docker deployments. It allegedly permits unauthenticated remote attackers to impersonate any user and seize complete control of the Git server. The bug is addressed in Gitea 1.26.3.

Broader exploitarium covers multiple vendors. The since-deleted repository also contained alleged zero-days targeting Splunk, RustDesk, 7-Zip, VLC, AnyDesk, OpenVPN, c-ares, Floci and several additional projects. Bikini asserted that none of the issues had been reported to the respective teams beforehand. In remarks captured by a screenshot that Ledger CTO Charles Guillemet posted on X, the researcher stated: "Feel free to report them yourself and take credit for the CVE if handed out lulz" and "Please do not abuse these. I do this so to allure people into the field." The Register has not verified that the published code is functional or that the vulnerabilities were previously unknown.

AI assistance and community response. Multiple observers, among them Ethan Andrews, concluded that bikini relied on advanced AI systems, specifically GPT-5.5 Codex, to automate fuzzing and flaw discovery. Andrews responded by assembling 44 KQL detection rules that address every item in the exploitarium collection, including language translations for teams using other query languages. He described the libssh2 heap corruption and Gitea bypass as the most technically significant entries, independently confirmed as high-risk with in-the-wild exploitation already occurring, while some of the remaining disclosures have been labeled low-impact AI-fuzzing noise by parts of the community.

Exploitation and lingering risks. Although GitHub removed the repository, copies persist online and attackers are presumed to be employing AI tools to locate vulnerable systems. In many instances the provided proof-of-concept code eliminates the need for adversaries to write their own exploits. The episode parallels recent disclosures by another pseudonymous bug hunter known as Nightmare Eclipse, who has concentrated on Microsoft products.