Browse Reproductions

REPRO-2026-00099 published

Semantic Kernel: RCE via InMemoryVectorStore Filter

Security critical pip

semantic-kernel

25m 13s Feb 19, 2026

GHSA-xjw9-4gw8-4rqx CVE-2026-26030

REPRO-2026-00098 published

SandboxJS: Host Prototype Pollution via Array Intermediary (Sandbox Escape)

Security critical npm

@nyariv/sandboxjs

16m 1s Feb 19, 2026

GHSA-ww7g-4gwx-m7wj CVE-2026-25881

REPRO-2026-00097 published

CASL Ability: Prototype Pollution via Condition Handling

Security critical npm

@casl/ability

6m 19s Feb 19, 2026

GHSA-x9vf-53q3-cvx6 CVE-2026-1774

REPRO-2026-00096 published

Milvus: Unauthenticated Access to Restful API on Metrics Port Leading to System Compromise

Security critical go

github.com/milvus-io/milvus

16m 18s Feb 19, 2026

GHSA-7ppg-37fh-vcr6 CVE-2026-26190

REPRO-2026-00095 published

Known CMS: Account Takeover via Password Reset Token Leakage

Security critical composer

idno/known

17m 40s Feb 19, 2026

GHSA-78wq-6gcv-w28r CVE-2026-26273

REPRO-2026-00094 published

OpenClaw: Path Traversal in Plugin Installation

Security critical npm

openclaw

7m 36s Feb 19, 2026

GHSA-qrq5-wjgg-rvqw

REPRO-2026-00093 published

Crawl4AI: Remote Code Execution in Docker API via Hooks Parameter

Security critical pip

Crawl4AI

10m 34s Feb 19, 2026

GHSA-5882-5rx9-xgxp CVE-2026-26216

REPRO-2026-00092 published

Payload CMS: Blind SQL Injection in JSON/RichText Queries via Drizzle Adapters

Security critical npm

@payloadcms/drizzle

15m 33s Feb 19, 2026

GHSA-xx6w-jxg9-2wh8 CVE-2026-25544

REPRO-2026-00091 published

Ghost CMS: Unauthenticated SQL Injection in Content API Slug Filter

Security critical npm

ghost

4m 15s Feb 19, 2026

GHSA-w52v-v783-gw97 CVE-2026-26980

REPRO-2026-00090 published

WinRAR ADS Path Traversal — Arbitrary Code Execution via Crafted Archive (CVE-2025-8088)

Security high

123m 42s Feb 17, 2026

GHSA-832g-3rcm-wcrf CVE-2025-8088

REPRO-2026-00089 published

pyca/cryptography SECT curve public key parsing lacks subgroup validation, enabling small-subgroup attacks that leak ECDH private key bits and allow ECDSA signature forgery.

Security high

cryptography (pip)

6m 32s Feb 15, 2026

GHSA-R6PH-V2QM-Q3C2 CVE-2026-26007

REPRO-2026-00088 published

Sliver has DNS C2 OTP Bypass that Allows Unauthenticated Session Flooding and Denial of Service

Security

13m 22s Feb 13, 2026

GHSA-WXRW-GVG8-FQJP

REPRO-2026-00087 published

Apache Druid basic security LDAP authenticator can be bypassed when the LDAP server allows anonymous binds, permitting login with any existing username and an empty password.

Security critical Maven

org.apache.druid.extensions:druid-basic-security

48m 55s Feb 13, 2026

GHSA-Q672-HFC7-G833 CVE-2026-23906

REPRO-2026-00086 published

RAGFlow MinerU parser Zip Slip allows arbitrary file overwrite and potential RCE via malicious ZIP archives.

Security pip (per GitHub advisory)

ragflow (RAGFlow)

8m 19s Feb 13, 2026

REPRO-2026-00085 published

Pillow 10.3.0–12.1.0 allows an out-of-bounds write when loading specially crafted PSD images, potentially leading to memory corruption.

Security

3m 16s Feb 13, 2026

GHSA-CFH3-3JMP-RVHC

REPRO-2026-00084 published

Unstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write

Security pypi

unstructured

4m 50s Feb 13, 2026

GHSA-GM8Q-M8MV-JJ5M CVE-2025-64712

REPRO-2026-00080 published

Docling-core YAML Deserialization RCE via FullLoader

Security high pip

docling-core

6m 1s Feb 13, 2026

GHSA-VQXF-V2GG-X3HC CVE-2026-24009

REPRO-2026-00078 published

vLLM RCE via auto_map dynamic module loading

Security high pip

vllm

19m 50s Jan 22, 2026

GHSA-2pc9-4j83-qjmr CVE-2026-22807

REPRO-2026-00077 published

GNU InetUtils telnetd Remote Authentication Bypass

Security critical gnu

inetutils

35m 50s Jan 21, 2026

REPRO-2026-00076 published

MCP Server Git: Path Traversal via Missing Repository Path Validation

Security medium pip

mcp-server-git

11m 29s Jan 21, 2026

GHSA-j22h-9j4x-23w5 CVE-2025-68145