Skip to main content
CVE Playground is a hands on security learning platform built around real vulnerabilities. You pick a CVE, the platform boots a private container running the vulnerable app, and you work the exploit yourself. When the session ends, the environment is destroyed. Each lab is built around one real CVE. You read the brief, locate the vulnerable function, reproduce the bug, study the patch, and answer five multiple choice questions that pin down whether you actually understood what you just did. Five correct answers means the lab is finished. Wrong answers do not punish you, but the points only land the first time.

How a session goes

1

Sign in

Auth0 handles the sign in. The first time you sign in you claim a handle, which becomes the URL of your public profile.
2

Pick a lab

Open the labs catalog. Filter by status, search by CVE ID, or just scroll. Each card shows the CVE, severity, and how much XP it is worth.
3

Launch the sandbox

One click. A private container boots in roughly a minute. You get a URL that only you can reach.
4

Work the five steps

Brief, locate, reproduce, patch, harden. Each step has its own multiple choice question. You can move between steps freely.
5

Tear it down

Stop the sandbox when you are done, or let it expire. Either way, the container is destroyed and nothing leaks between sessions.

Who this is for

If you are learning offensive or defensive security and you are tired of reading writeups without ever touching the code, this is for you. Researchers use it to keep a finger on classes of bugs they do not see every day. Hiring managers point new engineers at it during onboarding. You do not need to install anything. A browser is enough.

Next

Open the app

Sign in and start a lab.

Quickstart

Finish your first lab in about ten minutes.

How labs work

A tour through the five step flow.

Read the blog

Vulnerability writeups and platform notes.