The catalog
Browse Reproductions
191 verified reproductions
Popular records
Top viewed reproduction records
Frequently opened evidence pages with direct links to runnable proof and permanent REPRO IDs.
REPRO-2026-00281 Apache Kafka SASL/OAUTHBEARER accepts unvalidated JWTs REPRO-2026-00222 SimpleHelp OIDC authentication accepts unsigned/forged ID tokens, enabling remote authentication bypass and possible MFA bypass in versions 5.5.15 and earlier and 6.0 prereleases prior to the fixed release. REPRO-2026-00259 iCagenda unauthenticated file upload RCE in public event submission form REPRO-2026-00275 Coolify terminal WebSocket endpoints lack proper authorization checks, allowing low-privileged members to access terminal functionality and achieve remote command execution on managed hosts. REPRO-2026-00223 phpBB authentication bypass/account hijacking via OAuth login-link flow with arbitrary auth_provider=apache REPRO-2026-00258 Cudy LT300 3.0 OS command injection
191 reproductions
REPRO-2026-00118 published
cve-2026-21518
CVE-2026-21518 medium Security
40m 34s Feb 21, 2026
REPRO-2026-00115 published
eBay MCP Server Environment Variable Injection via Crafted Prompts
CVE-2026-27203 critical Security npm
@anthropic-ai/ebay-mcp-server
11m 39s Feb 20, 2026
REPRO-2026-00114 published
D-Tale Remote Code Execution via Custom Filter Input
CVE-2026-27194 critical Security pip
dtale
11m 53s Feb 20, 2026
REPRO-2026-00113 published
Feathers OAuth Authorization Header Leak to Third-Party
CVE-2026-27192 high Security npm
@feathersjs/authentication-oauth
7m 45s Feb 20, 2026
REPRO-2026-00112 published
Statamic CMS Stored XSS via Markdown Fieldtype
CVE-2026-27197 high Security composer
statamic/cms
7m 48s Feb 20, 2026
REPRO-2026-00111 published
Formwork CMS Improper Privilege Management in User Creation
CVE-2026-27198 high Security composer
getformwork/formwork
12m 42s Feb 20, 2026
REPRO-2026-00110 published
Deno Command Injection via Incomplete Metacharacter Blocklist
CVE-2026-27190 high Security rust
deno
10m 5s Feb 20, 2026
REPRO-2026-00109 published
Feathers OAuth Open Redirect Account Takeover
CVE-2026-27191 high Security npm
@feathersjs/authentication-oauth
12m 54s Feb 20, 2026
REPRO-2026-00108 published
Zumba JSON Serializer PHP Object Injection
CVE-2026-27206 high Security composer
zumba/json-serializer
11m 26s Feb 20, 2026
REPRO-2026-00107 published
Swiper Prototype Pollution
CVE-2026-27212 critical Security npm
swiper
10m 21s Feb 20, 2026
REPRO-2026-00106 published
Dagu Unauthenticated RCE via Inline DAG Spec
GHSA-6qr9-g2xw-cw92 critical Security go
github.com/dagu-org/dagu
18m 38s Feb 20, 2026
REPRO-2026-00105 published
Fabric.js: Stored XSS via SVG Export
CVE-2026-27013 high Security npm
fabric
16m 24s Feb 19, 2026
REPRO-2026-00104 published
systeminformation: Command Injection via WiFi Interface Parameter
CVE-2026-26280 high Security npm
systeminformation
19m 36s Feb 19, 2026
REPRO-2026-00103 published
jsPDF: PDF Object Injection via Unsanitized addJS Input
CVE-2026-25755 high Security npm
jspdf
14m 30s Feb 19, 2026
REPRO-2026-00102 published
jsPDF: PDF Injection in AcroForm RadioButton allows JS Execution
CVE-2026-25940 high Security npm
jspdf
23m 38s Feb 19, 2026
REPRO-2026-00101 published
LibreNMS: Time-Based Blind SQL Injection in address-search
CVE-2026-26990 high Security composer
librenms/librenms
11m 33s Feb 19, 2026
REPRO-2026-00100 published
systeminformation: Command Injection via locate Output
CVE-2026-26318 high Security npm
systeminformation
18m 44s Feb 19, 2026
REPRO-2026-00099 published
Semantic Kernel: RCE via InMemoryVectorStore Filter
CVE-2026-26030 critical Security pip
semantic-kernel
25m 13s Feb 19, 2026
REPRO-2026-00098 published
SandboxJS: Host Prototype Pollution via Array Intermediary (Sandbox Escape)
CVE-2026-25881 critical Security npm
@nyariv/sandboxjs
16m 1s Feb 19, 2026
REPRO-2026-00097 published
CASL Ability: Prototype Pollution via Condition Handling
CVE-2026-1774 critical Security npm
@casl/ability
6m 19s Feb 19, 2026