Security
At least two vulnerabilities are already under attack
Not everyone is willing to follow responsible disclosure of vulns. An anonymous researcher has dumped what they say is working exploit code for zero-day vulnerabilities across 15 software products and open source projects without notifying any vendors or maintainers prior to publishing – and attackers are already exploiting at least two of these.
The first is CVE-2026-55200, a critical, pre-authentication remote code execution (RCE) vulnerability in libssh2, a popular client-side C library that implements the SSH2 protocol. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.
A fix has been merged into the libssh2 mainline development source control branch, and maintainers are still preparing a libssh2 release containing the patch.
The second is CVE-2026-20896, a critical authentication bypass vulnerability affecting self-hosted Gitea Docker deployments that allows unauthenticated remote attackers to impersonate any user and fully take over the Git server. It’s fixed in Gitea 1.26.3.
The researcher, who goes by bikini, dropped the exploit code and vulnerability write-ups in a now-removed GitHub repository called exploitarium. They remind us of Nightmare Eclipse – the zero-day bug hunter who has been publishing Microsoft exploits over the past couple of months.
Unlike Nightmare Eclipse, however, bikini doesn’t appear to hold a grudge against any one vendor, publishing purported vulnerabilities across multiple products and projects including libssh2, Splunk, RustDesk, 7-Zip, VLC, AnyDesk, OpenVPN, c-ares, Gitea, and Floci.
Bikini claimed – and, to be clear, The Register has not verified these claims or that the code works – that none of the exploits in the repo have been reported.
“Feel free to report them yourself and take credit for the CVE if handed out lulz,” the anonymous researcher wrote, as shown in this screenshot posted on X by Ledger CTO Charles Guillemet. “Please do not abuse these. I do this so to allure people into the field.”
MORE CONTEXT
Other researchers, including Federal Signal analyst Ethan Andrews, suggested that bikini used advanced AI models – specifically GPT-5.5 Codex – to automate fuzzing and vulnerability discovery, in yet another indication that the AI-induced vulnpocalypse is nigh.
In response to bikini’s data dump, Andrews built 44 KQL detection rules covering the full exploitarium repo with language translation available for non-KQL stacks.
“The most technically significant findings – libssh2 pre-auth heap write and Gitea default Docker auth bypass – have been independently verified as high-risk with active exploitation observed,” Andrews wrote, noting that some of the exploitarium disclosures “have been dismissed by the community as low-impact AI-fuzzing noise.”
While the repository has since been removed by GitHub, nothing ever truly dies on the internet, and it’s safe to assume that attackers are now also using AI to scan for vulnerable instances. In many cases, bikini’s PoCs mean they don’t even have to spend time developing an exploit. ®