The catalog
Browse Reproductions
191 verified reproductions
Popular records
Top viewed reproduction records
Frequently opened evidence pages with direct links to runnable proof and permanent REPRO IDs.
REPRO-2026-00281 Apache Kafka SASL/OAUTHBEARER accepts unvalidated JWTs REPRO-2026-00222 SimpleHelp OIDC authentication accepts unsigned/forged ID tokens, enabling remote authentication bypass and possible MFA bypass in versions 5.5.15 and earlier and 6.0 prereleases prior to the fixed release. REPRO-2026-00259 iCagenda unauthenticated file upload RCE in public event submission form REPRO-2026-00275 Coolify terminal WebSocket endpoints lack proper authorization checks, allowing low-privileged members to access terminal functionality and achieve remote command execution on managed hosts. REPRO-2026-00223 phpBB authentication bypass/account hijacking via OAuth login-link flow with arbitrary auth_provider=apache REPRO-2026-00258 Cudy LT300 3.0 OS command injection
191 reproductions
REPRO-2026-00202 published
Open VSX Registry serves HTML inline enabling session/token exfiltration
CVE-2026-4983 medium Security
Variant found
Eclipse Open VSX (openvsx server)
36m 21s Jul 2, 2026
REPRO-2026-00201 published
Unauthenticated RCE in Langflow via public flow build endpoint
CVE-2026-33017 critical Security
Variant found
pip
langflow
25m 8s Jul 2, 2026
REPRO-2026-00200 published
Jenkins CLI arbitrary file read via @ argument expansion
CVE-2024-23897 critical Security generic
jenkins
21m 31s Jul 2, 2026
REPRO-2026-00199 published
aiohttp static file directory traversal via follow_symlinks
CVE-2024-23334 high Security pip
aiohttp
11m 4s Jul 2, 2026
REPRO-2026-00198 published
Next.js middleware authorization bypass via x-middleware-subrequest
CVE-2025-29927 critical Security npm
next
37m 24s Jul 2, 2026
REPRO-2026-00197 published
TaskingAI web_reader plugin SSRF via /v1/execute
high Security github
taskingai
17m 35s Jul 2, 2026
REPRO-2026-00196 published
React Server Components Flight protocol remote code execution
CVE-2025-55182 critical Security npm
react-server-dom-webpack
34m 46s Jul 2, 2026
REPRO-2026-00195 published
Vite dev server access control can be bypassed using crafted query strings, allowing arbitrary file reads via the @fs handler when the dev server is exposed to the network.
CVE-2025-30208 medium Security npm
vite
23m 11s Jul 1, 2026
REPRO-2026-00194 published
Unauthenticated SQL injection in dotCMS Publish Audit API
CVE-2026-8054 critical Security
Variant found
github
dotCMS/core
116m 7s Jul 1, 2026
REPRO-2026-00193 published
ProFTPD ACL bypass via /proc/self/root path prefix in RNFR
CVE-2026-35025 high Security
Variant found
github
proftpd/proftpd
88m 18s Jul 1, 2026
REPRO-2026-00192 published
Gogs path traversal in organization name results in RCE through Git hooks
CVE-2026-52813 critical Security
Variant found
github
gogs/gogs
29m 54s Jul 1, 2026
REPRO-2026-00186 published
libssh2 via curl: malformed SSH packet length crashes SFTP client
CVE-2026-55200 critical Security c
libssh2
11m 23s Jun 25, 2026
REPRO-2026-00185 published
HashiCorp Nomad: path traversal in host volume plugin loader → client-host RCE
CVE-2026-7474 high Security
Variant found
go
nomad
48m 9s May 28, 2026
REPRO-2026-00184 published
Temporal Server: batcher worker cross-namespace authorization bypass (BatchActivityWithProtobuf)
CVE-2026-5199 medium Security
Variant found
go
temporal
72m 49s May 28, 2026
REPRO-2026-00183 published
MapServer: heap-buffer-overflow in SLD Categorize parser (msSLDParseRasterSymbolizer)
CVE-2026-33721 high Security
Variant found
c
mapserver
14m 33s May 28, 2026
REPRO-2026-00173 published
wolfSSL: ECCSI universal signature forgery via missing scalar range check
CVE-2026-5466 high Security
Variant found
source
wolfssl
16m 28s May 28, 2026
REPRO-2026-00172 published
wolfSSL: EVP ChaCha20-Poly1305 decryption returns plaintext without verifying authentication tag
CVE-2026-5479 high Security
Variant found
source
wolfssl
12m 46s May 28, 2026
REPRO-2026-00171 published
nginx WebDAV: heap-buffer-overflow in COPY/MOVE with alias directive
CVE-2026-27654 high Security
Variant found
source
nginx
21m 40s May 28, 2026
REPRO-2026-00170 published
jq: integer overflow in jv_string_concat triggers heap buffer overflow on large strings
CVE-2026-32316 high Security
Variant found
github
jq
32m 33s May 28, 2026
REPRO-2026-00169 published
DataEase: stacked-query SQL injection via previewSql with allowMultiQueries
CVE-2026-40900 high Security
Variant found
github
dataease
58m 29s May 26, 2026