-
Notifications
You must be signed in to change notification settings - Fork 9
Templates
Recep Gunes edited this page May 17, 2026
·
2 revisions
The full template catalog is browsable at vulnerabletarget.com. This page provides a curated overview organized by category.
Run vt template --update to pull the latest catalog before using any of the commands below.
Intentionally vulnerable applications for hands-on security training.
| ID | Name | Technologies | Tags |
|---|---|---|---|
vt-bwapp |
bWAPP | PHP, MySQL | owasp, php, mysql, web |
vt-dvwa |
Damn Vulnerable Web App (DVWA) | PHP, MySQL | dvwa, php, mysql, sqli, xss |
vt-juice-shop |
OWASP Juice Shop | Node.js, Angular, SQLite | owasp, nodejs, angular, sqli |
vt-mutillidae-ii |
OWASP Mutillidae II | PHP, MySQL | owasp, php, mysql, web |
vt-webgoat |
OWASP WebGoat | Java | owasp, java, web |
Quick start:
vt start --id vt-dvwa
vt start --id vt-juice-shopOr start all labs at once using the playbook:
vt playbook run --id vt-pb-0001Isolated Docker environments that reproduce specific CVEs, ready for research and PoC testing.
| ID | CVE | Name | CVSS | Tags |
|---|---|---|---|---|
vt-2023-3452 |
CVE-2023-3452 | WordPress Canto Plugin RFI | — | wordpress, rfi, plugin |
vt-2024-53995 |
CVE-2024-53995 | SickChill Login Open Redirect | — | python, open-redirect |
vt-2025-24963 |
CVE-2025-24963 | Vitest Browser Mode LFI/RCE | — | nodejs, lfi, rce |
vt-2025-29927 |
CVE-2025-29927 | Next.js Middleware Bypass | 9.1 | nextjs, auth-bypass |
vt-2025-32778 |
CVE-2025-32778 | Web-Check Command Injection | — | command-injection |
vt-2025-55182 |
CVE-2025-55182 | React Server Components RCE | — | react, rce |
vt-2025-64459 |
CVE-2025-64459 | Django SQL Injection | — | django, sqli |
vt-2025-71243 |
CVE-2025-71243 | SPIP Saisies Plugin RCE | — | php, rce, cms |
vt-2026-1207 |
CVE-2026-1207 | Django RasterField SQL Injection | — | django, sqli |
vt-2026-1357 |
CVE-2026-1357 | WPvivid Backup Arbitrary File Upload | — | wordpress, file-upload |
vt-2026-1492 |
CVE-2026-1492 | WordPress User Registration Privilege Escalation | — | wordpress, privesc |
vt-2026-21962 |
CVE-2026-21962 | Oracle WebLogic Proxy Plugin Auth Bypass | — | java, auth-bypass |
vt-2026-23829 |
CVE-2026-23829 | mailpit SMTP Header Injection | — | smtp, header-injection |
vt-2026-25512 |
CVE-2026-25512 | Group-Office RCE | — | php, rce |
vt-2026-27944 |
CVE-2026-27944 | Nginx UI Backup Download | — | nginx, lfi |
vt-2026-27971 |
CVE-2026-27971 | Qwik Unauthenticated RCE | — | nodejs, rce |
Quick start:
vt inspect --id vt-2025-29927
vt start --id vt-2025-29927Specialized vulnerability targets for HTTP and API research.
| ID | Name | Description |
|---|---|---|
vt-dagu |
Dagu Workflow Engine | Unauthenticated RCE via workflow API |
vt-vlife |
Vlife FastJSON Deserialization | Java deserialization vulnerability |
The XBow benchmark suite contains 104+ targeted vulnerability scenarios for validating scanner accuracy and security tool performance.
| ID Range | Focus |
|---|---|
vt-xbow-001 to vt-xbow-104
|
SSTI, IDOR, default credentials, injection, and more |
List and filter benchmarks:
vt template --list --filter xbow| ID | Name | Contents |
|---|---|---|
vt-pb-0001 |
Full Lab Suite | All 5 training labs |
| Category | Count |
|---|---|
| Labs | 5 |
| CVEs | 16 |
| HTTP / Other | 2 |
| Benchmarks | 104+ |
| Total | 127+ |
| Playbooks | 1 |
Vulnerable Target
Usage
Reference
Contributing