Skip to content

The catalog

Browse Reproductions

191 verified reproductions

RSS Feed

191 reproductions

REPRO-2026-00096 published

Milvus: Unauthenticated Access to Restful API on Metrics Port Leading to System Compromise

CVE-2026-26190 critical Security go
github.com/milvus-io/milvus
16m 18s Feb 19, 2026
REPRO-2026-00095 published

Known CMS: Account Takeover via Password Reset Token Leakage

CVE-2026-26273 critical Security composer
idno/known
17m 40s Feb 19, 2026
REPRO-2026-00094 published

OpenClaw: Path Traversal in Plugin Installation

GHSA-qrq5-wjgg-rvqw critical Security npm
openclaw
7m 36s Feb 19, 2026
REPRO-2026-00093 published

Crawl4AI: Remote Code Execution in Docker API via Hooks Parameter

CVE-2026-26216 critical Security pip
Crawl4AI
10m 34s Feb 19, 2026
REPRO-2026-00092 published

Payload CMS: Blind SQL Injection in JSON/RichText Queries via Drizzle Adapters

CVE-2026-25544 critical Security npm
@payloadcms/drizzle
15m 33s Feb 19, 2026
REPRO-2026-00091 published

Ghost CMS: Unauthenticated SQL Injection in Content API Slug Filter

CVE-2026-26980 critical Security npm
ghost
4m 15s Feb 19, 2026
REPRO-2026-00090 published

WinRAR ADS Path Traversal — Arbitrary Code Execution via Crafted Archive (CVE-2025-8088)

CVE-2025-8088 high Security
123m 42s Feb 17, 2026
REPRO-2026-00089 published

pyca/cryptography SECT curve public key parsing lacks subgroup validation, enabling small-subgroup attacks that leak ECDH private key bits and allow ECDSA signature forgery.

CVE-2026-26007 high Security Variant found
cryptography (pip)
6m 32s Feb 15, 2026
REPRO-2026-00088 published

Sliver has DNS C2 OTP Bypass that Allows Unauthenticated Session Flooding and Denial of Service

GHSA-WXRW-GVG8-FQJP Security Variant found
13m 22s Feb 13, 2026
REPRO-2026-00087 published

Apache Druid basic security LDAP authenticator can be bypassed when the LDAP server allows anonymous binds, permitting login with any existing username and an empty password.

CVE-2026-23906 critical Security Variant found Maven
org.apache.druid.extensions:druid-basic-security
48m 55s Feb 13, 2026
REPRO-2026-00086 published

RAGFlow MinerU parser Zip Slip allows arbitrary file overwrite and potential RCE via malicious ZIP archives.

CVE-2026-24770 Security Variant found pip (per GitHub advisory)
ragflow (RAGFlow)
8m 19s Feb 13, 2026
REPRO-2026-00085 published

Pillow 10.3.0–12.1.0 allows an out-of-bounds write when loading specially crafted PSD images, potentially leading to memory corruption.

GHSA-CFH3-3JMP-RVHC Security Variant found
3m 16s Feb 13, 2026
REPRO-2026-00084 published

Unstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write

CVE-2025-64712 Security Variant found pypi
unstructured
4m 50s Feb 13, 2026
REPRO-2026-00080 published

Docling-core YAML Deserialization RCE via FullLoader

CVE-2026-24009 high Security Variant found pip
docling-core
6m 1s Feb 13, 2026
REPRO-2026-00078 published

vLLM RCE via auto_map dynamic module loading

CVE-2026-22807 high Security pip
vllm
19m 50s Jan 22, 2026
REPRO-2026-00077 published

GNU InetUtils telnetd Remote Authentication Bypass

critical Security gnu
inetutils
35m 50s Jan 21, 2026
REPRO-2026-00076 published

MCP Server Git: Path Traversal via Missing Repository Path Validation

CVE-2025-68145 medium Security pip
mcp-server-git
11m 29s Jan 21, 2026
REPRO-2026-00072 published

Apache bRPC: Remote Command Injection in Heap Profiler

CVE-2025-60021 high Security cpp
brpc
47m 53s Jan 21, 2026
REPRO-2026-00070 published

wlc: Path traversal via unsanitized API slugs in download command

CVE-2026-23535 high Security pip
wlc
20m 59s Jan 17, 2026
REPRO-2026-00067 published

Svelte XSS via textarea bind:value in SSR

GHSA-gw32-9rmw-qwww high Security npm
svelte
8m 49s Jan 17, 2026