An anonymous researcher published working exploit code for zero-day vulnerabilities across 15 software products and open-source projects — and attackers are already exploiting at least two of them.
The "exploitarium" drop and bikini's claims
An individual using the handle bikini created a public GitHub repository called exploitarium and posted exploit code and write-ups for what they said were zero-day vulnerabilities in multiple projects. The repository has since been removed by GitHub, but screenshots and reports of the drop spread quickly; Ledger CTO Charles Guillemet posted one such screenshot on X. Bikini told readers, “Feel free to report them yourself and take credit for the CVE if handed out lulz,” followed by “Please do not abuse these. I do this so to allure people into the field.” The Register, reporting the incident, noted it had not independently verified bikini’s claims that the code works or that the vulnerabilities had not already been reported.
CVE-2026-55200 — libssh2 pre-authentication remote code execution
Among the published items was exploit code tied to CVE-2026-55200, described as a critical pre-authentication remote code execution (RCE) bug in libssh2, a client-side C library that implements SSH2. The published technique sends crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution. The libssh2 maintainers have merged a fix into the project's mainline development branch and are preparing a release that will contain the patch. The Register reports that attackers have been observed exploiting this vulnerability.
CVE-2026-20896 — Gitea Docker authentication bypass (fixed in 1.26.3)
Another exploit in the dump corresponds to CVE-2026-20896, a critical authentication bypass affecting self-hosted Gitea Docker deployments. The vulnerability allowed unauthenticated remote attackers to impersonate any user and fully take over the Git server. The Register reports that this issue has been fixed in Gitea 1.26.3 and that active exploitation has been observed. The public posting of a proof-of-concept for a flaw of this severity increases the urgency for self-hosted Gitea operators to apply the 1.26.3 update.
Other projects named, AI-assisted fuzzing claims, and community reaction
Bikini’s dump included purported vulnerabilities across multiple products and projects besides libssh2 and Gitea: Splunk, RustDesk, 7-Zip, VLC, AnyDesk, OpenVPN, c-ares, Floci and others were named. Bikini’s activity drew direct comparison with another public zero-day publisher known as Nightmare Eclipse, but The Register observed that bikini did not appear to be singling out a single vendor; the disclosures span commercial products and open-source projects.
Some researchers have suggested bikini used advanced AI tooling to produce the material. Federal Signal analyst Ethan Andrews and others speculated that bikini automated fuzzing and vulnerability discovery with a model referred to as GPT-5.5 Codex. Andrews also warned that some entries in the exploitarium have been dismissed by parts of the community as “low-impact AI-fuzzing noise,” even as he acknowledged the presence of high-risk findings in the set.
How technologists, maintainers, and adversaries are responding
- Technologists and security teams: Federal Signal analyst Ethan Andrews built 44 KQL detection rules covering the full exploitarium repo, with language translation available for non-KQL stacks, and noted that the most technically significant findings — the libssh2 pre-auth heap write and the Gitea Docker auth bypass — have been independently verified as high-risk with active exploitation observed. Security teams facing these threats have concrete detections they can deploy and specific vendor fixes to prioritize.
- Open-source maintainers and vendors: libssh2 maintainers have merged a corrective change to their mainline branch and are preparing a release; Gitea issued a fix in version 1.26.3. The public posting of proofs-of-concept places stronger pressure on maintainers to push releases and on operators to apply them quickly.
- Adversaries and opportunistic attackers: The Register observed that attackers are already exploiting at least two of the disclosed flaws. The presence of public PoCs means attackers may not need to invest time developing exploits; the story notes it is reasonable to assume adversaries will also use AI to scan for vulnerable instances.
The immediate facts are stark and specific: a now-removed GitHub repo named exploitarium contained exploit code for multiple zero-day claims; libssh2 and Gitea fixes (or pending fixes) map to two of the highest-risk items; and detection rules have been produced for defenders. The public release — and the researcher’s explicit invitation to others to claim CVEs — underscores a changing calculus for disclosure: when proof-of-concept exploit code is posted, patch cadence and detection deployment become the front line.
Read the original report on The Register: https://www.theregister.com/security/2026/06/29/anonymous-researcher-drops-0-day-exploitarium-repo/5263961
