Quick context for folks who aren't deep into security: a CVE is a publicly disclosed software vulnerability, basically a bug serious enough that someone gave it an ID number and the world had to patch it.
Here's the frustration that started this project: most people "learn" CVEs by cloning a proof-of-concept from GitHub, running it, watching something break, and moving on. You don't actually understand the vulnerability. You can't explain why the patch fixes it. And you definitely can't talk about it in an interview or a report.
So we built CVE Playground to fix that.
Each lab is built around a real, publicly disclosed CVE and links directly to the upstream fix commit. You read the actual code change, find the bug, study the patch, and then answer guided questions that check if you truly understood what happened.
The flow:
- Preview guided questions to build a real understanding of the vulnerability
- Live Lab practice inside a safe, browser-based environment
- Get the Flag, prove you got it by completing the exploit path
- Certificate/ Badges, finish labs and unlock it
A few CVEs already live:
- cPanel cpsrvd auth bypass
- Linux kernel algif_aead
- GitHub Push Option RCE
- Sequelize SQLi
- pac4j-jwt auth bypass
- LightLLM RCE
- vLLM SSRF
- GNU sed TOCTOU
The full app is live at app.cveplayground.com with a dashboard, progress tracking, leaderboard, and profile. The final sandbox lab environment is almost ready.
If you want an email when the sandbox drops: https://cveplayground.com/early-access
Happy to answer questions about the platform, how we pick CVEs, or just what any of these vulnerabilities actually are if you're curious.