Browse Reproductions

REPRO-2026-00150 published

PhpSpreadsheet: SSRF via unsafe stream wrapper in IOFactory::load()

Security critical composer

phpoffice/phpspreadsheet

12m 53s May 22, 2026

GHSA-q4q6-r8wh-5cgh CVE-2026-34084

REPRO-2026-00149 published

PraisonAI: ZipSlip path traversal via unchecked tar symlink linkname in _safe_extractall

Security high pip

praisonai

17m 42s May 22, 2026

GHSA-9q28-ghcr-c4x3 CVE-2026-44340

REPRO-2026-00148 published

Mistune: ReDoS via catastrophic backtracking in LINK_TITLE_RE

Security high pip

mistune

14m 50s May 22, 2026

GHSA-8mp2-v27r-99xp CVE-2026-33079

REPRO-2026-00147 published

Faraday: SSRF via protocol-relative URL overriding base authority

Security medium rubygems

faraday

10m 15s May 22, 2026

GHSA-33mh-2634-fwr2 CVE-2026-25765

REPRO-2026-00146 published

fast-uri: host confusion via percent-encoded authority delimiter in normalize()

Security high npm

fast-uri

10m 18s May 22, 2026

GHSA-v39h-62p7-jpjc CVE-2026-6322

REPRO-2026-00145 published

fast-uri: path traversal via percent-encoded segments decoded before normalization

Security high npm

fast-uri

10m 8s May 22, 2026

GHSA-q3j6-qgpj-74h6 CVE-2026-6321

REPRO-2026-00144 published

phpMyFAQ: unauthenticated SQL injection via User-Agent header in captcha API

Security critical composer

thorsten/phpmyfaq

62m 14s May 22, 2026

GHSA-289f-fq7w-6q2w CVE-2026-46364

REPRO-2026-00143 published

@wdio/browserstack-service: OS command injection via crafted git branch name

Security critical npm

@wdio/browserstack-service

59m 49s May 22, 2026

GHSA-5c46-x3qw-q7j7 CVE-2026-25244

REPRO-2026-00142 published

libheif: integer underflow out-of-bounds read crash via crafted HEIF stsc box

Security medium c

libheif

50m 30s May 22, 2026

GHSA-7f2h-cmpf-v9ww CVE-2026-32738

REPRO-2026-00141 published

rsync: off-by-one out-of-bounds stack write in establish_proxy_connection

Security low c

rsync

29m 29s May 22, 2026

REPRO-2026-00140 published

zenshin: OS command injection in /stream-to-vlc url query parameter

Security critical

zenshin

28m 3s May 22, 2026

REPRO-2026-00139 published

libjwt: JWT algorithm-confusion authentication bypass via RSA JWK without alg

Security critical c

libjwt

13m 26s May 22, 2026

GHSA-q843-6q5f-w55g CVE-2026-44699

REPRO-2026-00138 published

FastMCP: path traversal to authenticated SSRF in OpenAPIProvider _build_url()

Security high pip

fastmcp

37m 15s May 22, 2026

GHSA-vv7q-7jx5-f767 CVE-2026-32871

REPRO-2026-00137 published

ExifReader: unbounded memory amplification DoS via crafted ICC mluc tag

Security high npm

exifreader

35m 45s May 22, 2026

REPRO-2026-00136 published

Microsoft APM: arbitrary file disclosure via symlink-following on apm install

Security high pip

apm

29m 1s May 22, 2026

GHSA-q5pp-gvjg-h7v4 CVE-2026-45539

REPRO-2026-00135 published

jsondiffpatch: prototype pollution via crafted delta in patch()

Security high npm

jsondiffpatch

23m 26s May 22, 2026

REPRO-2026-00134 published

lodash: prototype pollution in _.unset/_.omit deletes global prototype methods

Security medium npm

lodash

29m 27s May 22, 2026

GHSA-xxjr-mmjv-4gpg CVE-2025-13465

REPRO-2026-00133 published

Drupal core: unauthenticated SQL injection via JSON:API filter array keys

Security critical composer

drupal/core

21m 27s May 22, 2026

REPRO-2026-00132 published

ShowDoc Unauthenticated File Upload RCE via deprecated ThinkPHP syntax

Security critical github

showdoc/showdoc

139m 41s Apr 14, 2026

REPRO-2026-00131 published

Apache Tomcat EncryptInterceptor Bypass via CVE-2026-29146 Fix Error - Missing Encryption of Sensitive Data

Security high

Apache Tomcat

19m 38s Apr 14, 2026