Skip to content

vulhub/vulhub

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2,528 Commits
.claude/skills
.claude/skills
 
 
.github
.github
 
 
1panel/CVE-2024-39907
1panel/CVE-2024-39907
 
 
activemq
activemq
 
 
adminer
adminer
 
 
airflow
airflow
 
 
aj-report/CNVD-2024-15077
aj-report/CNVD-2024-15077
 
 
apache-cxf/CVE-2024-28752
apache-cxf/CVE-2024-28752
 
 
apache-druid/CVE-2021-25646
apache-druid/CVE-2021-25646
 
 
apereo-cas/4.1-rce
apereo-cas/4.1-rce
 
 
apisix
apisix
 
 
appweb/CVE-2018-8715
appweb/CVE-2018-8715
 
 
aria2/rce
aria2/rce
 
 
base
base
 
 
bash/CVE-2014-6271
bash/CVE-2014-6271
 
 
budibase/CVE-2026-31816
budibase/CVE-2026-31816
 
 
cacti
cacti
 
 
celery/celery3_redis_unauth
celery/celery3_redis_unauth
 
 
cgi/CVE-2016-5385
cgi/CVE-2016-5385
 
 
chartbrew/CVE-2026-25887
chartbrew/CVE-2026-25887
 
 
cmsms
cmsms
 
 
coldfusion
coldfusion
 
 
comfyui
comfyui
 
 
confluence
confluence
 
 
couchdb
couchdb
 
 
craftcms
craftcms
 
 
cups-browsed/CVE-2024-47177
cups-browsed/CVE-2024-47177
 
 
discuz
discuz
 
 
django
django
 
 
dns/dns-zone-transfer
dns/dns-zone-transfer
 
 
docker/unauthorized-rce
docker/unauthorized-rce
 
 
drupal
drupal
 
 
dubbo/CVE-2019-17564
dubbo/CVE-2019-17564
 
 
ecshop
ecshop
 
 
elasticsearch
elasticsearch
 
 
electron
electron
 
 
elfinder/CVE-2021-32682
elfinder/CVE-2021-32682
 
 
erlang/CVE-2025-32433
erlang/CVE-2025-32433
 
 
fastjson
fastjson
 
 
ffmpeg
ffmpeg
 
 
flask/ssti
flask/ssti
 
 
flink
flink
 
 
geoserver
geoserver
 
 
ghostscript
ghostscript
 
 
git/CVE-2017-8386
git/CVE-2017-8386
 
 
gitea/1.4-rce
gitea/1.4-rce
 
 
gitlab
gitlab
 
 
gitlist
gitlist
 
 
glassfish/CVE-2017-1000028
glassfish/CVE-2017-1000028
 
 
goahead
goahead
 
 
gogs/CVE-2018-18925
gogs/CVE-2018-18925
 
 
gradio
gradio
 
 
grafana
grafana
 
 
h2database
h2database
 
 
hadoop/unauthorized-yarn
hadoop/unauthorized-yarn
 
 
hertzbeat/CVE-2024-42323
hertzbeat/CVE-2024-42323
 
 
httpd
httpd
 
 
hugegraph
hugegraph
 
 
imagemagick
imagemagick
 
 
inetutils/CVE-2026-24061
inetutils/CVE-2026-24061
 
 
influxdb/CVE-2019-20933
influxdb/CVE-2019-20933
 
 
ingress-nginx/CVE-2025-1974
ingress-nginx/CVE-2025-1974
 
 
jackson/CVE-2017-7525
jackson/CVE-2017-7525
 
 
java
java
 
 
jboss
jboss
 
 
jenkins
jenkins
 
 
jetty
jetty
 
 
jimureport/CVE-2023-4450
jimureport/CVE-2023-4450
 
 
jira/CVE-2019-11581
jira/CVE-2019-11581
 
 
jmeter/CVE-2018-1297
jmeter/CVE-2018-1297
 
 
joomla
joomla
 
 
jumpserver/CVE-2023-42820
jumpserver/CVE-2023-42820
 
 
jupyter/notebook-rce
jupyter/notebook-rce
 
 
kafka/CVE-2023-25194
kafka/CVE-2023-25194
 
 
kibana
kibana
 
 
kkfileview/4.3-zipslip-rce
kkfileview/4.3-zipslip-rce
 
 
langflow/CVE-2025-3248
langflow/CVE-2025-3248
 
 
laravel/CVE-2021-3129
laravel/CVE-2021-3129
 
 
librsvg/CVE-2023-38633
librsvg/CVE-2023-38633
 
 
libssh/CVE-2018-10933
libssh/CVE-2018-10933
 
 
liferay-portal/CVE-2020-7961
liferay-portal/CVE-2020-7961
 
 
livewire/CVE-2025-54068
livewire/CVE-2025-54068
 
 
log4j
log4j
 
 
magento/2.2-sqli
magento/2.2-sqli
 
 
metabase
metabase
 
 
metersphere
metersphere
 
 
mini_httpd/CVE-2018-18778
mini_httpd/CVE-2018-18778
 
 
minio/CVE-2023-28432
minio/CVE-2023-28432
 
 
mojarra/jsf-viewstate-deserialization
mojarra/jsf-viewstate-deserialization
 
 
mongo-express/CVE-2019-10758
mongo-express/CVE-2019-10758
 
 
mysql/CVE-2012-2122
mysql/CVE-2012-2122
 
 
n8n
n8n
 
 
nacos
nacos
 
 
neo4j/CVE-2021-34371
neo4j/CVE-2021-34371
 
 
next.js/CVE-2025-29927
next.js/CVE-2025-29927
 
 
nexus
nexus
 
 
nginx-ui/CVE-2026-27944
nginx-ui/CVE-2026-27944
 
 
nginx
nginx
 
 
node
node
 
 
ntopng/CVE-2021-28073
ntopng/CVE-2021-28073
 
 

Repository files navigation

Vulhub

Chat on Discord GitHub Sponsors Vulnerabilities count GitHub language count GitHub contributors GitHub

Vulhub is an open-source collection of pre-built, ready-to-use vulnerable Docker environments. With just one command you can launch a vulnerable environment for security research, learning, or demonstration, no prior Docker experience required.

中文版本(Chinese version)

Quick Start

Install Docker (example for Ubuntu 24.04):

# Install the latest version docker
curl -s https://get.docker.com/ | sh

# Run docker service
systemctl start docker

For other operating systems, see the Docker documentation.

Although all Vulhub environments are running based on Docker Compose, you no longer need to install docker-compose separately. Instead, you can use the built-in docker compose command to start Vulhub environments.

Download and set up Vulhub:

git clone --depth 1 https://github.com/vulhub/vulhub

Launch a vulnerable environment:

cd vulhub/langflow/CVE-2025-3248  # Example: enter a vulnerability directory
docker compose up -d

Each environment directory contains a detailed README with reproduction steps and usage instructions.

Clean up after testing:

docker compose down -v

Note

  • Use a VPS or VM with at least 1GB RAM for best results
  • The your-ip in documentation refers to your host/VPS IP, not the Docker container IP
  • Ensure Docker has permission to access all files in the current directory to avoid permission errors
  • Some environments may not support ARM architectures, see Troubleshooting for details
  • All environments are for testing and educational purposes only. Do not use in production!

Troubleshooting

Docker image pull fails in mainland China

Docker Hub may be inaccessible from mainland China. Use a registry mirror or run Vulhub on an overseas VPS.

Environments fail to start on Apple Silicon (M-series) Macs

Most Vulhub environments run natively on Docker Desktop for Mac with M-series chips. If an environment fails, try setting the platform explicitly:

export DOCKER_DEFAULT_PLATFORM=linux/amd64
docker compose up -d

Environments fail on Kali Linux

Some environments may fail on Kali Linux due to a low ulimit nofile setting. See the FAQ for the fix.

If you encounter issues that you cannot resolve, feel free to seek help from the community:

Contributing

We welcome contributions! Please read our Contributing Guide to get started.

Thanks to all contributors:

Partners

Our partners and users:

Sponsor Vulhub on GitHub Sponsor, OpenCollective, or Patreon 🙏

More ways to donate.

License

Vulhub is licensed under the MIT License. See LICENSE for details.

About

Pre-Built Vulnerable Environments Based on Docker-Compose

vulhub.org

Topics

docker dockerfile docker-compose vulnerability-environment vulhub

Resources

Readme

License

MIT license

Contributing

Contributing
Activity
Custom properties

Stars

20.4k stars

Watchers

567 watching

Forks

4.8k forks
Report repository

Sponsor this project

 
Learn more about GitHub Sponsors

Contributors 79

+ 65 contributors

Languages