<!-- markdownlint-disable first-line-heading --> Vulhub is an open-source collection of pre-built, ready-to-use vulnerable Docker environments. With just one command you can launch a vulnerable environment for security research, learning, or…
<!-- markdownlint-disable first-line-heading -->
Vulhub is an open-source collection of pre-built, ready-to-use vulnerable Docker environments. With just one command you can launch a vulnerable environment for security research, learning, or demonstration, no prior Docker experience required.
[中文版本(Chinese version)](README.zh-cn.md)
Quick Start
Install Docker (example for Ubuntu 24.04):
bash
# Install the latest version docker
curl -s https://get.docker.com/ | sh
# Run docker service
systemctl start docker
For other operating systems, see the Docker documentation.
Although all Vulhub environments are running based on Docker Compose, you no longer need to install docker-compose separately. Instead, you can use the built-in docker compose command to start Vulhub environments.
Download and set up Vulhub:
bash
git clone --depth 1 https://github.com/vulhub/vulhub
Launch a vulnerable environment:
bash
cd vulhub/langflow/CVE-2025-3248 # Example: enter a vulnerability directory
docker compose up -d
Each environment directory contains a detailed README with reproduction steps and usage instructions.
Clean up after testing:
bash
docker compose down -v
> [!NOTE]
>
> - Use a VPS or VM with at least 1GB RAM for best results
> - The your-ip in documentation refers to your host/VPS IP, not the Docker container IP
> - Ensure Docker has permission to access all files in the current directory to avoid permission errors
> - Some environments may not support ARM architectures, see [Troubleshooting](#troubleshooting) for details
> - All environments are for testing and educational purposes only. Do not use in production!
Troubleshooting
Docker image pull fails in mainland China
Docker Hub may be inaccessible from mainland China. Use a registry mirror or run Vulhub on an overseas VPS.
Environments fail to start on Apple Silicon (M-series) Macs
Most Vulhub environments run natively on Docker Desktop for Mac with M-series chips. If an environment fails, try setting the platform explicitly:
bash
export DOCKER_DEFAULT_PLATFORM=linux/amd64
docker compose up -d
Environments fail on Kali Linux
Some environments may fail on Kali Linux due to a low ulimit nofile setting. See the FAQ for the fix.
If you encounter issues that you cannot resolve, feel free to seek help from the community:
Contributing
We welcome contributions! Please read our [Contributing Guide](CONTRIBUTING.md) to get started.
Thanks to all contributors:

Partners
Our partners and users:
Sponsor Vulhub on GitHub Sponsor, OpenCollective, or Patreon 🙏
More ways to donate.
License
Vulhub is licensed under the MIT License. See [LICENSE](LICENSE) for details.
Members
-
vulhub ★ PINNED
Pre-Built Vulnerable Environments Based on Docker-Compose
Dockerfile ★ 21k 23d agoExplain → -
java-chains ★ PINNED
Java Vulnerability Exploitation Platform
Dockerfile ★ 2.1k 2mo agoExplain → -
vulhub-cli ★ PINNED
A command-line tool for managing Vulhub vulnerability environments.
Go ★ 8 5mo agoExplain → -
vulhub-org ★ PINNED
Vulhub's homepage
TypeScript ★ 31 2mo agoExplain → -
redis-rogue-getshell
redis 4.x/5.x master/slave getshell module
C ★ 380 6y agoExplain → -
MetaDockers
Responsible for visualization the vulhub and docker
Python ★ 128 5y agoExplain → -
Apereo-CAS-Attack
WIP: Demo for Attacking Apereo CAS
Java ★ 98 6y agoExplain → -
java
Java every minor versions.
Dockerfile ★ 75 3y agoExplain → -
CVE-2017-1000353
jenkins CVE-2017-1000353 POC
Java ★ 57 1y agoExplain → -
JNDIExploit ⑂
A malicious LDAP server for JNDI injection attacks
Java ★ 53 3y agoExplain → -
Dockertools
Some tools based on docker
Dockerfile ★ 24 6y agoExplain → -
vulhub-ui
[WIP] a simple UI for Vulhub
Python ★ 15 5y agoExplain → -
rocketmq-attack
A command-line tool for testing RocketMQ vulnerabilities.
Kotlin ★ 15 1y agoExplain → -
thinkphp-2.1
互联网考古,ThinkPHP2.1带示例和文档完整包
PHP ★ 9 6y agoExplain → -
evil-ipp-server ⑂
A evil IPP server to reproduce CVE-2024-47177
Python ★ 7 1y agoExplain → -
metersphere-plugin-Backdoor
This is a backdoor project for MeterSphere, do not use it in production environment!!! Forking from <https://github.com/metersphere/metersphere-plugin-DebugSampler>
Java ★ 7 2y agoExplain → -
discuz7
互联网考古,Discuz 7.x
PHP ★ 3 5y agoExplain → -
yaml-payload ⑂
No description.
★ 0 4y agoExplain → -
openfire-fastpath-plugin ⑂
This is a evil openfire plugin, do not install it if you don't know what it is
JavaScript ★ 0 3y agoExplain → -
cve-2022-0778 ⑂
No description.
★ 0 4y agoExplain → -
goahead ⑂
GoAhead Web Server
★ 0 6y agoExplain → -
appweb7 ⑂
No description.
★ 0 8y agoExplain → -
mirrors
mirrorsfile
★ 0 7y agoExplain → -
fckeditor ⑂
FCKEditor 2.4.3
JavaScript ★ 0 10y agoExplain →
No repos match these filters.