Top stories
Anonymous GitHub account dumps exploit PoCs framed as undisclosed 0-days
- Category: Security
- Status: discussion
- Sources: HN discussion, threat analysis
- Summary: An anonymous GitHub account ("exploitarium") published a single archive of working exploit proof-of-concepts with a note that none were reported at posting time, inviting readers to report them and claim any assigned CVE. A FemtoSec threat-intelligence writeup assessed the archive as rederived public exploits for already documented vulnerabilities, not genuine unpatched 0-days, naming CVE-2026-55200 (libssh2 heap overflow, CVSS 9.2), CVE-2026-20896 (Gitea auth bypass, CVSS 9.8), and CVE-2025-62408 (c-ares DoS), and noting the PoCs remain highly functional against unpatched systems.
- Comments: HN commenters questioned whether the items are true 0-days, several arguing many trace to already-fixed CVEs and that "0-day" has lost meaning; one walked through the c-ares use-after-free; another noted the volume and documentation looked machine-assisted.
- Why it matters: Mass-publishing functional PoCs without coordination shifts patch pressure onto maintainers and defenders and feeds the AI-accelerated vulnerability-disclosure debate.
- Follow-up: Watch for GitHub takedown of the archive, CVE assignments, and any in-the-wild use of the bundled PoCs.