Skip to content

The catalog

Browse Reproductions

191 verified reproductions

RSS Feed

191 reproductions

REPRO-2026-00202 published

Open VSX Registry serves HTML inline enabling session/token exfiltration

CVE-2026-4983 medium Security Variant found
Eclipse Open VSX (openvsx server)
36m 21s Jul 2, 2026
REPRO-2026-00201 published

Unauthenticated RCE in Langflow via public flow build endpoint

CVE-2026-33017 critical Security Variant found pip
langflow
25m 8s Jul 2, 2026
REPRO-2026-00200 published

Jenkins CLI arbitrary file read via @ argument expansion

CVE-2024-23897 critical Security generic
jenkins
21m 31s Jul 2, 2026
REPRO-2026-00199 published

aiohttp static file directory traversal via follow_symlinks

CVE-2024-23334 high Security pip
aiohttp
11m 4s Jul 2, 2026
REPRO-2026-00198 published

Next.js middleware authorization bypass via x-middleware-subrequest

CVE-2025-29927 critical Security npm
next
37m 24s Jul 2, 2026
REPRO-2026-00197 published

TaskingAI web_reader plugin SSRF via /v1/execute

high Security github
taskingai
17m 35s Jul 2, 2026
REPRO-2026-00196 published

React Server Components Flight protocol remote code execution

CVE-2025-55182 critical Security npm
react-server-dom-webpack
34m 46s Jul 2, 2026
REPRO-2026-00195 published

Vite dev server access control can be bypassed using crafted query strings, allowing arbitrary file reads via the @fs handler when the dev server is exposed to the network.

CVE-2025-30208 medium Security npm
vite
23m 11s Jul 1, 2026
REPRO-2026-00194 published

Unauthenticated SQL injection in dotCMS Publish Audit API

CVE-2026-8054 critical Security Variant found github
dotCMS/core
116m 7s Jul 1, 2026
REPRO-2026-00193 published

ProFTPD ACL bypass via /proc/self/root path prefix in RNFR

CVE-2026-35025 high Security Variant found github
proftpd/proftpd
88m 18s Jul 1, 2026
REPRO-2026-00192 published

Gogs path traversal in organization name results in RCE through Git hooks

CVE-2026-52813 critical Security Variant found github
gogs/gogs
29m 54s Jul 1, 2026
REPRO-2026-00186 published

libssh2 via curl: malformed SSH packet length crashes SFTP client

CVE-2026-55200 critical Security c
libssh2
11m 23s Jun 25, 2026
REPRO-2026-00185 published

HashiCorp Nomad: path traversal in host volume plugin loader → client-host RCE

CVE-2026-7474 high Security Variant found go
nomad
48m 9s May 28, 2026
REPRO-2026-00184 published

Temporal Server: batcher worker cross-namespace authorization bypass (BatchActivityWithProtobuf)

CVE-2026-5199 medium Security Variant found go
temporal
72m 49s May 28, 2026
REPRO-2026-00183 published

MapServer: heap-buffer-overflow in SLD Categorize parser (msSLDParseRasterSymbolizer)

CVE-2026-33721 high Security Variant found c
mapserver
14m 33s May 28, 2026
REPRO-2026-00173 published

wolfSSL: ECCSI universal signature forgery via missing scalar range check

CVE-2026-5466 high Security Variant found source
wolfssl
16m 28s May 28, 2026
REPRO-2026-00172 published

wolfSSL: EVP ChaCha20-Poly1305 decryption returns plaintext without verifying authentication tag

CVE-2026-5479 high Security Variant found source
wolfssl
12m 46s May 28, 2026
REPRO-2026-00171 published

nginx WebDAV: heap-buffer-overflow in COPY/MOVE with alias directive

CVE-2026-27654 high Security Variant found source
nginx
21m 40s May 28, 2026
REPRO-2026-00170 published

jq: integer overflow in jv_string_concat triggers heap buffer overflow on large strings

CVE-2026-32316 high Security Variant found github
jq
32m 33s May 28, 2026
REPRO-2026-00169 published

DataEase: stacked-query SQL injection via previewSql with allowMultiQueries

CVE-2026-40900 high Security Variant found github
dataease
58m 29s May 26, 2026