Anonymous researcher dumps zero-day exploits for multiple software products

The Register reports that an anonymous researcher, known as bikini, has released exploit code for zero-day vulnerabilities affecting at least 15 software products and open-source projects without prior vendor notification. At least two of these vulnerabilities are already being actively exploited by attackers.

The disclosed exploits include a critical pre-authentication remote code execution vulnerability in libssh2 (CVE-2026-55200) and an authentication bypass vulnerability in self-hosted Gitea Docker deployments (CVE-2026-20896), which allows attackers to impersonate users and take over Git servers. A fix for libssh2 is merged, and Gitea has released patches. The researcher, who claims to have used AI models like GPT-5.5 Codex for vulnerability discovery, published the exploits in a now-removed GitHub repository.

While some findings have been dismissed as low-impact, the libssh2 and Gitea vulnerabilities have been independently verified as high-risk. The public release of these exploits, without vendor notification, raises concerns about potential widespread attacks, especially as attackers can now leverage these proofs-of-concept without needing to develop their own exploits.

Source: The Register