Skip to content

The catalog

Browse Reproductions

189 verified reproductions

RSS Feed

189 reproductions

REPRO-2026-00245 published

Coolify authenticated command injection in Destination Network Management

CVE-2026-34594 high Security Variant found
coollabsio/coolify
50m 51s Jul 6, 2026
REPRO-2026-00244 published

Feast Feature Server unauthenticated arbitrary file write to RCE

CVE-2026-23537 critical Security Variant found github
feast-dev/feast
37m 2s Jul 6, 2026
REPRO-2026-00243 published

Keycloak JWT algorithm confusion privilege escalation

CVE-2026-11800 high Security Variant found github
keycloak/keycloak
46m 0s Jul 6, 2026
REPRO-2026-00242 published

SMS Alert WordPress plugin <= 3.9.5 allows unauthenticated attackers to change a user’s email and reset their password, leading to account takeover and privilege escalation when OTP password reset verification is enabled.

CVE-2026-11387 critical Security Variant found WordPress plugin (hosted on WordPress.org SVN, not GitHub)
sms-alert
22m 56s Jul 6, 2026
REPRO-2026-00241 published

SALESmanago & Leadoo WordPress plugin SQL injection

CVE-2026-10835 high Security Variant found
Unknown/SALESmanago & Leadoo
50m 2s Jul 6, 2026
REPRO-2026-00240 published

Langflow OSS SSRF and privilege escalation

CVE-2026-10129 high Security Variant found
langflow/langflow
56m 49s Jul 6, 2026
REPRO-2026-00239 published

WP Review Slider Pro SQL injection

CVE-2026-8441 high Security Variant found
https://wpreviewslider.com//WP Review Slider Pro
42m 0s Jul 6, 2026
REPRO-2026-00238 published

OpenBMB ChatDev unauthenticated path traversal file upload

CVE-2026-58166 critical Security Variant found github
OpenBMB/ChatDev
28m 27s Jul 6, 2026
REPRO-2026-00237 published

OpenZiti privilege escalation via overpermissive enrollment creation

CVE-2026-58165 high Security Variant found
OpenZiti
22m 39s Jul 6, 2026
REPRO-2026-00236 published

Orkes Conductor unauthenticated RCE via inline script evaluators

CVE-2026-58138 critical Security Variant found
conductor-oss/conductor (Orkes Conductor OSS)
24m 53s Jul 6, 2026
REPRO-2026-00235 published

PACSgear PACS Scan unauthenticated remote code execution

CVE-2026-58126 critical Security Variant found
Hyland/PACSgear PACS Scan
64m 7s Jul 6, 2026
REPRO-2026-00234 published

Blocksy Companion Pro unauthenticated remote code execution

CVE-2026-57624 critical Security Variant found
Creative Themes/Blocksy Companion Pro
37m 0s Jul 6, 2026
REPRO-2026-00233 published

Grav CMS unsafe deserialization and command injection RCE

CVE-2026-56700 critical Security Variant found
getgrav/grav (Composer)
53m 20s Jul 6, 2026
REPRO-2026-00232 published

Page Builder CK unauthenticated arbitrary file upload to RCE

CVE-2026-56290 critical Security Variant found
joomlack/page_builder_ck
23m 44s Jul 6, 2026
REPRO-2026-00231 published

HTTP/2 request smuggling in Vinyl Cache and Varnish Cache (VSV00019)

CVE-2026-50052 low Security Variant found github
varnish/varnish
28m 5s Jul 6, 2026
REPRO-2026-00230 published

Widget Options WordPress plugin contributor remote code execution

CVE-2026-54823 critical Security Variant found
MarketingFire/Widget Options
28m 45s Jul 6, 2026
REPRO-2026-00229 published

CivetWeb PUT + SSI #exec RCE

CVE-VINEXT-CIVETWEB-PUT-SSI-RCE high Security Variant found github
civetweb/civetweb
34m 27s Jul 4, 2026
REPRO-2026-00228 published

nginx charset module segfaults when charset_map uses utf-8 as source charset, causing a NULL pointer dereference and DoS.

high Security generic
nginx
9m 18s Jul 4, 2026
REPRO-2026-00227 published

Grafana unified storage IAM service account listing lacked RBAC filtering, allowing low-privileged users to enumerate service accounts.

high Security Go
grafana/grafana
31m 40s Jul 4, 2026
REPRO-2026-00226 published

Grafana IAM LIST authorization could be bypassed for folder-scoped CRDs when a user had wildcard resource permissions, returning `All: true` without folder-level checks.

high Security Go
grafana/grafana
22m 1s Jul 4, 2026