The catalog
Browse Reproductions
189 verified reproductions
Popular records
Top viewed reproduction records
Frequently opened evidence pages with direct links to runnable proof and permanent REPRO IDs.
REPRO-2026-00281 Apache Kafka SASL/OAUTHBEARER accepts unvalidated JWTs REPRO-2026-00222 SimpleHelp OIDC authentication accepts unsigned/forged ID tokens, enabling remote authentication bypass and possible MFA bypass in versions 5.5.15 and earlier and 6.0 prereleases prior to the fixed release. REPRO-2026-00259 iCagenda unauthenticated file upload RCE in public event submission form REPRO-2026-00275 Coolify terminal WebSocket endpoints lack proper authorization checks, allowing low-privileged members to access terminal functionality and achieve remote command execution on managed hosts. REPRO-2026-00223 phpBB authentication bypass/account hijacking via OAuth login-link flow with arbitrary auth_provider=apache REPRO-2026-00258 Cudy LT300 3.0 OS command injection
189 reproductions
REPRO-2026-00266 published
Unauthenticated arbitrary file operations in Splunk Enterprise PostgreSQL sidecar service (SVD-2026-0603)
CVE-2026-20253 critical Security
Variant found
github
splunk/splunk
63m 18s Jul 7, 2026
REPRO-2026-00265 published
Linux kernel kTLS Use-After-Free
CVE-2024-26582 high Security
Variant found
github
torvalds/linux
49m 32s Jul 7, 2026
REPRO-2026-00264 published
Apache Camel camel-docling improperly validates custom CLI arguments, enabling argument injection and path traversal when untrusted data is mapped into docling invocation headers.
CVE-2026-40047 critical Security
Variant found
Maven
apache/camel
41m 23s Jul 7, 2026
REPRO-2026-00263 published
c-ares CVE-2026-33630 RCE primitive construction from confirmed remote UAF
CVE-2026-33630 high Security
Variant found
c
c-ares/c-ares
54m 27s Jul 7, 2026
REPRO-2026-00262 published
ColdFusion 2025 Lockdown: open-RDS unauth direct-Tomcat absolute-path FILEIO RCE confirmed
CVE-2026-48282 critical Security
Adobe ColdFusion
80m 25s Jul 7, 2026
REPRO-2026-00261 published
BerriAI LiteLLM SQL injection
CVE-2026-42271 critical Security
Variant found
pip
BerriAI LiteLLM
168m 42s Jul 7, 2026
REPRO-2026-00259 published
iCagenda unauthenticated file upload RCE in public event submission form
CVE-2026-48939 critical Security
Variant found
joomla
iCagenda
107m 17s Jul 6, 2026
REPRO-2026-00258 published
Cudy LT300 3.0 OS command injection
CVE-2026-32833 high Security
Variant found
firmware
Cudy LT300 V3 firmware
93m 59s Jul 6, 2026
REPRO-2026-00257 published
Apache Airflow Google provider path traversal via GCS object names
CVE-2026-49297 medium Security
Variant found
pip
apache-airflow-providers-google
56m 55s Jul 6, 2026
REPRO-2026-00256 published
Pagekit CMS privilege escalation leading to RCE
CVE-2026-57518 high Security
Variant found
github
pagekit/pagekit
23m 15s Jul 6, 2026
REPRO-2026-00255 published
JAIOTlink C492A-W6 Wi‑Fi IP camera firmware accepts default admin credentials (blank password) over HTTP Basic auth, enabling network‑adjacent attackers to access snapshots and privileged APIs.
CVE-2026-58453 critical Security
Variant found
firmware
jingwenyi/SmartCamera (Anyka N1
29m 42s Jul 6, 2026
REPRO-2026-00254 published
Vibe-Trading DNS rebinding authentication bypass leading to RCE
CVE-2026-58169 high Security
Variant found
Vibe-Trading (pip: vibe-trading-ai)
18m 8s Jul 6, 2026
REPRO-2026-00253 published
Pinpoint through 3.1.0 allows authenticated users to register internal webhook URLs, leading to SSRF when alarm webhooks are delivered.
CVE-2026-57947 medium Security
Variant found
maven
pinpoint-apm/pinpoint
59m 13s Jul 6, 2026
REPRO-2026-00252 published
Divi Form Builder WordPress plugin allows unauthenticated arbitrary file upload via user-controlled acceptFileTypes, leading to RCE by uploading executable PHP extensions and accessing them in /wp-content/uploads/de_fb_uploads/.
CVE-2026-5524 critical Security wordpress
divi-form-builder
20m 35s Jul 6, 2026
REPRO-2026-00251 published
Premmerce Wishlist for WooCommerce unauthenticated SQL injection
CVE-2026-54849 critical Security
Variant found
Premmerce/Premmerce Wishlist for WooCommerce
27m 26s Jul 6, 2026
REPRO-2026-00250 published
JeecgBoot broken access control privilege escalation
CVE-2026-58377 high Security
Variant found
github
jeecgboot/JeecgBoot
31m 46s Jul 6, 2026
REPRO-2026-00249 published
ZAP ViewState add-on insecure deserialization RCE
CVE-2026-57527 high Security
Variant found
github
zaproxy/zap-extensions
26m 16s Jul 6, 2026
REPRO-2026-00248 published
containerd CRI checkpoint import RCE
CVE-2026-50195 critical Security
Variant found
github.com/containerd/containerd/v2
39m 23s Jul 6, 2026
REPRO-2026-00247 published
Kestra unauthenticated RCE via AuthenticationFilter path bypass
CVE-2026-49869 critical Security
Variant found
io.kestra:kestra (Kestra OSS)
26m 25s Jul 6, 2026
REPRO-2026-00246 published
Gradio FileExplorer path traversal
CVE-2026-49119 high Security
Variant found
github
gradio-app/gradio
21m 20s Jul 6, 2026