Anonymous GitHub Repository 'exploitarium' Drops Undisclosed Vulnerabilities
Anonymous GitHub Repository 'exploitarium' Drops Undisclosed Vulnerabilities
An anonymous GitHub user operating under the handle 'bikini' has published a repository called exploitarium, which serves as a consolidated archive of public proof-of-concept (PoC) exploits and vulnerability research writeups. The author claims these vulnerabilities were undisclosed at the time of posting, encouraging others to report them to the respective projects to claim CVEs.
Targeted Software and Vulnerabilities
The exploitarium repository contains a diverse array of targets, including critical infrastructure and widely used open-source tools. The archive is organized into folders, each containing a PoC or research entry.
Key Targets in the Archive
| Project | Entry Name |
|---|---|
| Ghidra | ghidra-12.1.2-rce-ace-calc-poc |
| Docker | docker-cp-copyout-destination-escape |
| Firefox | firefox-smartwindow-private-url-exfil-poc |
| FFmpeg | ffmpeg-rasc-dlta-calc-poc |
| libssh2 | libssh2-publickey-list-calc-poc and libssh2-cve-2026-55200-poc |
| PHP | php857-streambucket-soap-rce-rpoc |
| nmap | nmap-ipv6-extlen-wrap-poc |
| c-ares | c-ares-tcp-uaf-calc-poc |
| 7zip/RAR | 7zip-rar5-motw-chain-poc |
| AnyDesk | anydesk-printer-com-impersonation-poc |
| Gitea | gitea-act-runner-container-options-poc |
| RustDesk | rustdesk-session-permission-pocs |
| OpenVPN | openvpn-connect-echo-script-ace-poc |
Technical Analysis and Community Feedback
While the author presents these as "0-days," the security community has expressed skepticism regarding the severity and complexity of some of the entries.
Debate on Vulnerability Quality
Some users have argued that several of the exploits are trivial or require unrealistic preconditions. For example, one commenter noted that the Ghidra exploits required overwriting binaries in the Swift tool directory, which is essentially a prerequisite for code execution by design rather than a vulnerability.
"The first requires being able to overwrite binaries in the Swift tool directory. Yes, if you overwrite binaries executed by ghidra, you can trigger code execution. This is not a surprise."
Other users have pointed out that the term "0-day" is often misused in this context, noting that once a PoC is published, it is no longer a 0-day, but simply a public vulnerability.
The Role of AI in Vulnerability Discovery
There is significant discussion regarding whether these vulnerabilities were found using Large Language Models (LLMs). Some commenters suggest that AI is entering a transition period where it can now find simple bugs and DoS (Denial of Service) vulnerabilities more efficiently, though more complex exploits will remain hand-crafted.
"There is going to be a flurry of this sort of stuff as the AIs get smart enough to find them. It will naturally die down as the legitimate ones are fixed."
Implications for Open Source Security
The publication of the exploitarium repository highlights the ongoing tension between open disclosure and coordinated vulnerability disclosure. The author claims the goal is to "allure people into the field" and states that "cybercrime is cringe," but critics argue that publishing PoCs without notifying vendors first puts users at risk.
The 'Puzzle Piece' Theory
One insight from the community suggests that while individual PoCs may be small or limited in scope, consolidating them in one place allows attackers to combine them into more complex attack chains. This transforms a collection of public information into a high-value target for malicious actors.
"Individually these are small puzzle pieces that can't do anything. Put them all in one place and it becomes easier to pick up pieces and try them together to see if they fit and build something bigger."
Security through Obscurity
Some contributors to the discussion have expressed concern that the ability to let bots loose on open-source codebases may make "security through obscurity" a more viable strategy, despite it being a generally discredited security principle.