Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.cveplayground.com/llms.txt

Use this file to discover all available pages before exploring further.

Guided labs are the bread and butter of the platform. Each one is a self contained lesson around a single real CVE. You spend 20 to 60 minutes per lab depending on the difficulty and how familiar you are with the bug class.

The catalog

Open Labs in the sidebar. The catalog is a grid of cards. Each card shows:
  • The CVE ID (for example, CVE-2024-12345).
  • The lab title.
  • A severity badge (low, medium, high, critical).
  • The XP value.
  • Your status with this lab: not started, in progress, or complete.
The grid scrolls. Older labs are at the bottom; newer ones at the top. A search box sits above the grid. It matches on CVE ID and on title. Typing traversal will pull up every lab with path traversal in the name. Typing 2023 will pull up every CVE from 2023. The search is debounced, so it waits a fraction of a second after you stop typing before running.

Status filter

Four filters at the top:
  • All: every lab.
  • Not started: ones you have not touched.
  • In progress: ones with at least one answered question but not all five.
  • Complete: ones where all five questions are correct.
The filter is sticky for the session. If you reload the page it resets to All.

Severity

Severity comes from the original CVE record. The colours map to the standard scale:
  • Critical: red. Remote code execution, auth bypass on production systems, the worst stuff.
  • High: orange. Serious but more bounded. Privilege escalation, sensitive data exposure.
  • Medium: yellow. Real bugs, but harder to weaponise or limited in blast radius.
  • Low: green. Information disclosure, minor configuration issues.
Severity is not a difficulty rating. A critical CVE can be easy to exploit (the patch is one line) and a medium one can be a nightmare to chain. Use severity to pick what you find interesting, not to pick what you find hard.

XP

XP is set per lab and is fixed. It does not scale with how quickly you solve it. Larger XP usually means more steps in the reproduction, a harder patch to read, or a bug class that requires more setup. XP is also weighted slightly toward newer CVEs, because the world cares more about bugs people are still patching. You earn the XP only on the first correct answer to each question. Coming back to redo a lab does not award XP again.

Lab metadata on the detail page

Click a lab card and you land on the detail page. Beneath the title you will see:
  • The original CVE ID with a link to the upstream advisory.
  • The CVSS score, if available.
  • The vulnerability class (path traversal, SQL injection, XXE, prototype pollution, and so on).
  • First blood: the handle of whoever finished the lab first, and the timestamp.
First blood is the bragging rights row. It updates the moment somebody completes all five questions for the first time. Your handle goes on it if you are first. Nobody else can take it from you after that.

What is not in the catalog

A few things you will not find:
  • Labs without a real CVE backing them. Every lab is tied to a published, real world vulnerability.
  • Synthetic or training only bugs invented for the platform.
  • Anything that violates a vendor’s responsible disclosure or that targets active production systems.
If you want to suggest a CVE that is not in the catalog yet, contact the team. The lab catalog grows weekly.

The five step walkthrough

Brief, locate, reproduce, patch, harden.

Questions and XP

How scoring works.