An anonymous GitHub account has assembled dozens of working exploits into one repository. Security teams now face a single destination packed with proof-of-concept code for unpatched or recently fixed vulnerabilities. The collection, called Exploitarium, surfaced in recent days and quickly drew attention from both researchers and underground forums.
Its owner, known only by the username bikini, makes no secret of the intent. “At the time I post these, none have been reported,” the repository README states. “Feel free to report them yourself and take credit for the CVE if handed out lulz.” The stated goal is straightforward: draw more people into vulnerability research. “I do this so to allure people into the field, and I’ve always found this is the most efficient way.”
But efficiency comes with side effects. Threat actors on darkforums.ru have already tried to sell some of the same material as fresh zero-days. Analysts dismiss the zero-day claims. The code itself, however, works. And it targets systems that many enterprises still run.
One repository now centralizes exploits that once lived in scattered proof-of-concept projects.
Exploitarium contains more than 30 folders. Each holds a self-contained demonstration for a distinct issue. Some focus on client-side memory corruption. Others show container escapes or authentication bypasses. Recent additions include a PoC for CVE-2026-55200 in libssh2, a public-key list calculation flaw in the same library, an upgrade queue poisoning bug in nghttp2’s nghttpx, and an IPv6 extension length wraparound in Nmap.
The libssh2 case stands out. According to the CVE record from cve.org, the flaw affects libssh2 through version 1.11.1. The library fails to enforce an upper bound on an attacker-controlled packet_length field inside ssh2_transport_read(). A malicious SSH server can send a crafted packet that triggers a 32-bit integer wraparound. The result is an undersized heap buffer followed by an out-of-bounds write. Remote code execution follows. The vulnerability carries a CVSS score of 9.2.
A detailed analysis published two days ago by Femto Security explains the mechanics. “The client and malicious server initiate the standard key exchange handshake. No user authentication or credentials are required,” the report notes. “The malicious server sends an encrypted transport-layer packet containing a crafted, excessively large packet length field.” The subsequent copy operation overflows the heap and corrupts adjacent memory. FemtoSec Threat Intelligence calls the exploit “highly functional” and warns that automated scanners can weaponize it against unpatched internet-facing assets.
The repository’s libssh2-cve-2026-55200-poc folder includes a probe written in C, a Python scaffold for the malicious server, and a local harness that demonstrates arbitrary code execution by overwriting a callback pointer. The README quotes the root cause directly: “libssh2 through 1.11.1 accepted an attacker-controlled SSH packet length in one full-packet decryption path without first enforcing the RFC-sized libssh2 packet maximum.”
Similar patterns appear elsewhere. Gitea environments face two risks captured in the archive. One involves Act Runner container options that permit host escapes. Another exploits misconfigured trusted proxies to achieve global admin authentication bypass through a single HTTP header. Organizations that expose Gitea instances without strict proxy lists sit exposed.
Floci, an open-source local AWS emulator built on Quarkus, appears in the collection through an API gateway VTL remote code execution path. The real-world danger often stems from development teams mounting the host Docker socket inside the container. An SSRF vulnerability then becomes a container escape. FemtoSec points out that such misconfigurations turn a local testing tool into a backdoor.
c-ares receives attention for both a TCP use-after-free calculation PoC and practical abuse via DLL side-loading. Attackers place malicious payloads next to the legitimate executable in trusted directories. The technique lets info-stealers run with the appearance of normal system activity.
Other entries target everyday tools. ImageMagick’s GraphicsMagick delegate hijack, FFmpeg’s RASC DLTA calculation error, VLC’s VP9 resolution change crash, and Firefox’s Smart Window private URL exfiltration all sit inside the archive. Some are crashes. Others achieve code execution or data leaks. The owner consolidated many former standalone repositories into this one location on or around June 23, 2026. A consolidation check confirmed 96 tracked files with zero mismatches.
Activity has been brisk. The repository saw commits as recently as five hours ago. New drops arrived on June 26 for FFmpeg and additional libssh2 components. The GitHub profile for bikini lists another project called patchwork that appears to automate parts of the research pipeline.
Security mailing lists took notice. An oss-sec thread from four days ago references the Exploitarium PoC for CVE-2026-55200 and debates the exact patch commit. Red Hat published an advisory confirming the out-of-bounds write in the libssh2 client. Red Hat Security notes that a remote attacker can trigger the flaw with a specially crafted SSH packet.
Underground interest arrived quickly. A threat actor on darkforums.ru advertised multiple “unpatched critical zero-day exploits” sourced from Bikini/Exploitarium. The list included Floci, Gitea, libssh, and c-ares. FemtoSec examined the claims and concluded the zero-day label was marketing fiction. “The zero-day claims on dark web forums are likely fraudulent marketing tactics, although the public exploits themselves remain highly dangerous and actionable,” the firm wrote.
That distinction matters. Enterprises cannot dismiss the repository simply because the bugs have CVEs. Many organizations lag on patching libraries used in backup agents, custom command-line tools, embedded firmware, and CI/CD runners. A client application that connects outbound to any SSH server becomes a target for the libssh2 flaw. Developer laptops, staging servers, and automated pipelines all qualify.
Recommendations from recent analysis focus on speed. Audit systems for vulnerable libssh2 instances and apply patches. Configure Gitea trusted proxies to explicit IP lists only. Isolate local emulators like Floci and never mount the host Docker socket. Enforce egress filtering so developer tools cannot reach arbitrary code repositories. Deploy YARA rules that watch for strings such as “cve_2026_55200_probe” or references to the Exploitarium path.
Process monitoring should flag c-ares executables spawning shells from temporary directories. Vulnerability management programs must expand beyond production to catch development and research environments. The risk is not theoretical. The code is public, documented, and ready to compile.
Bikini adds a clear warning at the top of the repository. “Do NOT, under any circumstances, use any material in this repository maliciously. This is good-faith, open-disclosure vulnerability research intended to get more people interested in exploring this area of cybersecurity.” Cybercrime is cringe, the profile states elsewhere.
Good intentions do not erase the operational reality. A single Git clone now equips both curious students and opportunistic attackers with production-grade exploits. The archive grows daily. Security teams that treat it as mere research material do so at their own risk.
Recent coverage underscores the tension. Trendshift.io began tracking the repository’s sudden popularity. X accounts such as @Dinosn and @IntCyberDigest shared links within hours of new commits. The conversation has moved from niche researcher circles to broader threat intelligence channels in less than a week.
For defenders the lesson is old but sharpened by current events. Visibility into dependencies matters. Patching speed matters more when working exploits appear in a neatly organized GitHub tree. And the line between educational research and weaponized code has rarely been thinner.
GitHub’s Exploitarium Drops Ready-to-Run Code for Critical Flaws in libssh2, Gitea and More first appeared on Web and IT News.