• Category: Security
  • Status: discussion
  • Sources: HN discussion, threat analysis
  • Summary: An anonymous GitHub account ("exploitarium") published a single archive of working exploit proof-of-concepts with a note that none were reported at posting time, inviting readers to report them and claim any assigned CVE. A FemtoSec threat-intelligence writeup assessed the archive as rederived public exploits for already documented vulnerabilities, not genuine unpatched 0-days, naming CVE-2026-55200 (libssh2 heap overflow, CVSS 9.2), CVE-2026-20896 (Gitea auth bypass, CVSS 9.8), and CVE-2025-62408 (c-ares DoS), and noting the PoCs remain highly functional against unpatched systems.
  • Comments: HN commenters questioned whether the items are true 0-days, several arguing many trace to already-fixed CVEs and that "0-day" has lost meaning; one walked through the c-ares use-after-free; another noted the volume and documentation looked machine-assisted.
  • Why it matters: Mass-publishing functional PoCs without coordination shifts patch pressure onto maintainers and defenders and feeds the AI-accelerated vulnerability-disclosure debate.
  • Follow-up: Watch for GitHub takedown of the archive, CVE assignments, and any in-the-wild use of the bundled PoCs.

Send feedback on this story