Anonymous Researcher Releases Exploit Code for 15 Zero-Day Vulnerabilities, Including Actively Exploited Flaws
An anonymous researcher has published exploit code for 15 zero-day vulnerabilities, with at least two already being exploited in the wild, raising concerns about rapid attacker adoption.
An anonymous security researcher, operating under the pseudonym 'bikini,' has released a repository containing exploit code for fifteen zero-day vulnerabilities affecting various software products and open-source projects. Notably, this release occurred without prior notification to the affected vendors or maintainers, a departure from standard responsible disclosure practices. The researcher's stated aim is to encourage interest in the cybersecurity field, though the immediate impact is a significant increase in the attack surface for numerous systems.
Among the disclosed vulnerabilities, two are highlighted as critical and are reportedly already under active exploitation. The first, CVE-2026-55200, is a pre-authentication remote code execution (RCE) flaw in libssh2, a widely used C library for the SSH2 protocol. Attackers can exploit this by sending specially crafted SSH packets with excessively large packet lengths, leading to heap memory corruption and subsequent code execution. While a fix has been merged into the libssh2 development branch, a stable release containing the patch is still pending.
The second actively exploited vulnerability is CVE-2026-20896, a critical authentication bypass affecting self-hosted Gitea Docker deployments. This flaw allows unauthenticated attackers to impersonate any user, effectively granting them full control over the Git server. A patch is available in Gitea version 1.26.3.
The exploit code and accompanying vulnerability details were initially hosted on a GitHub repository named 'exploitarium,' which has since been removed by the platform. The researcher, bikini, also shared a message encouraging others to report the vulnerabilities themselves and claim credit for any assigned CVEs, further underscoring the non-traditional approach to disclosure. This release draws parallels to the 'Nightmare Eclipse' researcher, who has been releasing Microsoft exploits, but bikini's scope is broader, encompassing multiple vendors and projects.
Beyond libssh2 and Gitea, the exploitarium repository reportedly included vulnerabilities for products such as Splunk, RustDesk, 7-Zip, VLC, AnyDesk, OpenVPN, c-ares, and Floci. While the researcher claims these exploits were previously undisclosed, independent verification of all claims and the functionality of the code remains ongoing. Some community members have dismissed certain disclosures as low-impact 'AI-fuzzing noise.'
Security analysts suggest that advanced AI models, potentially GPT-5.5 Codex, may have been instrumental in bikini's vulnerability discovery process. This aligns with growing concerns about an 'AI-induced vulnpocalypse,' where AI accelerates the identification and potential exploitation of software flaws. In response to the disclosure, researchers have already developed detection rules for many of the vulnerabilities.
The rapid dissemination of exploit code, especially for zero-days, poses a significant challenge for defenders. Attackers can leverage these readily available tools to quickly target vulnerable systems without the need for extensive exploit development. The removal of the repository does little to mitigate the risk, as the code is likely already in the hands of malicious actors and potentially being used in automated scanning efforts.
This incident underscores the evolving landscape of vulnerability discovery and disclosure. The combination of anonymous researchers, potential AI assistance, and rapid public release of exploit code creates a high-stakes environment where timely patching and robust detection mechanisms are more critical than ever.