Skip to content

The catalog

Browse Reproductions

191 verified reproductions

RSS Feed

191 reproductions

REPRO-2026-00168 published

DataEase: authentication bypass via password-derived HMAC JWT signing key

CVE-2026-23958 high Security Variant found github
dataease
100m 11s May 25, 2026
REPRO-2026-00167 published

DataEase: Quartz JobStore Java deserialization RCE via QRTZ_JOB_DETAILS

CVE-2026-40901 high Security github
dataease
179m 9s May 25, 2026
REPRO-2026-00165 published

DataEase: JDBC parameter blocklist bypass via Lombok @Data setter exposure

CVE-2026-40899 medium Security Variant found github
dataease
111m 23s May 25, 2026
REPRO-2026-00160 published

Arelle: unauthenticated RCE via /rest/configure plugins URL parameter

CVE-2026-42796 critical Security Variant found pip
arelle
48m 18s May 23, 2026
REPRO-2026-00159 published

libheif: heap-buffer-overflow write decoding 1x4 grid of odd-height tiles

CVE-2026-32740 high Security Variant found c
libheif
41m 53s May 23, 2026
REPRO-2026-00158 published

goshs: PUT upload accepts cross-origin requests without CSRF token

CVE-2026-42091 medium Security Variant found go
github.com/patrickhener/goshs
35m 17s May 23, 2026
REPRO-2026-00157 published

Fiber v3: cache middleware key collision leaks responses across different query strings

CVE-2026-30246 medium Security Variant found go
github.com/gofiber/fiber/v3
27m 11s May 23, 2026
REPRO-2026-00156 published

Yii2: local file inclusion via View::renderPhpFile extract() of caller-controlled params

CVE-2026-39850 high Security Variant found composer
yiisoft/yii2
15m 11s May 23, 2026
REPRO-2026-00155 published

gitoxide (gix-fs): symlink worktree escape on checkout writes files outside the worktree

CVE-2026-44471 high Security Variant found cargo
gix-fs
33m 22s May 22, 2026
REPRO-2026-00153 published

Jupyter Server: path traversal via faulty startswith() root containment check

CVE-2026-35397 high Security Variant found pip
jupyter-server
25m 14s May 22, 2026
REPRO-2026-00152 published

apko: symlink-following path traversal writes files outside the build root

CVE-2026-42574 high Security Variant found go
apko
20m 23s May 22, 2026
REPRO-2026-00151 published

Twig: sandbox bypass via SourcePolicy filter check enables arbitrary PHP callables

CVE-2026-24425 high Security Variant found composer
twig/twig
13m 7s May 22, 2026
REPRO-2026-00150 published

PhpSpreadsheet: SSRF via unsafe stream wrapper in IOFactory::load()

CVE-2026-34084 critical Security Variant found composer
phpoffice/phpspreadsheet
12m 53s May 22, 2026
REPRO-2026-00149 published

PraisonAI: ZipSlip path traversal via unchecked tar symlink linkname in _safe_extractall

CVE-2026-44340 high Security Variant found pip
praisonai
17m 42s May 22, 2026
REPRO-2026-00148 published

Mistune: ReDoS via catastrophic backtracking in LINK_TITLE_RE

CVE-2026-33079 high Security Variant found pip
mistune
14m 50s May 22, 2026
REPRO-2026-00147 published

Faraday: SSRF via protocol-relative URL overriding base authority

CVE-2026-25765 medium Security Variant found rubygems
faraday
10m 15s May 22, 2026
REPRO-2026-00146 published

fast-uri: host confusion via percent-encoded authority delimiter in normalize()

CVE-2026-6322 high Security Variant found npm
fast-uri
10m 18s May 22, 2026
REPRO-2026-00145 published

fast-uri: path traversal via percent-encoded segments decoded before normalization

CVE-2026-6321 high Security Variant found npm
fast-uri
10m 8s May 22, 2026
REPRO-2026-00144 published

phpMyFAQ: unauthenticated SQL injection via User-Agent header in captcha API

CVE-2026-46364 critical Security Variant found composer
thorsten/phpmyfaq
62m 14s May 22, 2026
REPRO-2026-00143 published

@wdio/browserstack-service: OS command injection via crafted git branch name

CVE-2026-25244 critical Security Variant found npm
@wdio/browserstack-service
59m 49s May 22, 2026