git404hub

what is vulapps fr?

medicean/vulapps — explained in plain English

Analysis updated 2026-06-26

3,785ShellAudience · researcherComplexity · 2/5Setup · moderate

tl;dr

A collection of intentionally vulnerable app environments packaged as Docker images, spin one up with a single command to practice finding and exploiting real CVE security bugs in a safe, local setting.

vibe map

mindmap
  root((VulApps))
    What it does
      Vulnerable apps
      Docker-based
      CVE practice
    Software Covered
      Web servers
      CMS platforms
      Databases
    Use Cases
      Security research
      CTF training
      Detection testing
    Setup
      Docker pull
      Single command
      Instant teardown

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

what do people make with this?

VIBE 1

Spin up a vulnerable WordPress or Struts2 instance to practice exploiting a specific CVE in a safe local environment.

VIBE 2

Build and test security detection tools against real broken software running in Docker containers.

VIBE 3

Study a documented CVE by running the exact vulnerable software version and reproducing the exploit yourself.

VIBE 4

Practice offensive security and capture-the-flag challenges using realistic broken software environments.

what's the stack?

ShellDocker

how it stacks up fr

medicean/vulappsjonmosco/kube-ps1ax/apk.sh
Stars3,7853,7833,781
LanguageShellShellShell
Setup difficultymoderateeasyhard
Complexity2/51/53/5
Audienceresearcherops devopsdeveloper

Figures from each repo's GitHub metadata at analysis time.

how do i run it?

Difficulty · moderate time til it works · 30min

Requires Docker installed locally, the README is in Chinese, though Docker commands are universal.

in plain english

VulApps is a collection of intentionally vulnerable application environments that security researchers and students can spin up on their own computers to practice finding and exploiting known software flaws. Each environment comes packaged as a Docker image, which means you can start a realistic broken version of a real product with a single command and tear it down just as quickly when you are done. The project covers a wide range of well-known software: web servers like Nginx and Tomcat, content management systems like WordPress and Joomla, frameworks like Spring and Struts2, databases like Redis and Memcached, and tools like Jenkins and JBoss. Most entries correspond to specific publicly documented security bugs, often referenced by their CVE identifier, so you can look up what the flaw is and then try to reproduce it in a safe, isolated setting. Using a specific environment follows a short two-step process. You look up the Docker image tag listed in the README for the vulnerability you want to study, pull the image from Docker Hub, and then run a container from it. Within seconds you have a live web application running locally with that vulnerability present and ready to test against. The project is written mainly in Shell and the Dockerfiles that define each image. It is aimed at people learning offensive security techniques, running capture-the-flag challenges, or building and testing detection tools. The README is in Chinese, though the technical commands are standard Docker syntax that any user familiar with containers can follow. A companion project called vulhub covers similar ground and is linked from the repository.

prompts (copy fr)

prompt 1
Using VulApps, give me the Docker command to spin up a vulnerable Struts2 environment so I can practice exploiting CVE-2017-5638.
prompt 2
How do I pull and run a VulApps Docker image for a vulnerable Redis instance to practice unauthorized access exploits?
prompt 3
List the Spring Framework vulnerabilities available in VulApps and explain how to set up each one for local testing.
prompt 4
I'm building a WAF detection tool. How do I use VulApps to set up a local target environment with a known SQL injection vulnerability?

Frequently asked questions

what is vulapps fr?

A collection of intentionally vulnerable app environments packaged as Docker images, spin one up with a single command to practice finding and exploiting real CVE security bugs in a safe, local setting.

What language is vulapps written in?

Mainly Shell. The stack also includes Shell, Docker.

How hard is vulapps to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is vulapps for?

Mainly researcher.

peek the repo → explain another one

This repo across BitVibe Labs

double-check against the repo, no cap.