OWASP Global AppSec EU 2026 Vienna

New CVEs are released constantly, but in practice most teams never go beyond reading the advisory or relying on automated scanning. This POD is designed to change that by giving participants time and platform to hunt and exploit real-world critical CVEs.

Participants will have access to 10 hands-on challenges, each based on a real high or critical severity CVE commonly found in modern applications. Each challenge runs within a limited time window and can be attempted independently of the others.

For each challenge, participants can click a Deploy Lab option to spin up a temporary target system. The deployed application/system contains a previously undisclosed CVE to the participant, and the task is to identify the vulnerability, understand its behavior, and exploit it to demonstrate impact.

There is no fixed order or linear walkthrough. Participants are free to choose which CVEs to attempt, how deep they want to go with each one, and how long they want to stay in the activity. Some CVEs will allow participants to become admin, some might give a reverse shell. Labs are provisioned on demand using infrastructure-as-code, allowing participants to work independently on each challenge.

Some participants may focus on understanding a single CVE and reproducing it reliably. Others may try to exploit multiple issues or explore alternate attack paths. Both approaches are expected and encouraged.

The emphasis of this POD is on building practical intuition: how to read advisories critically, identify vulnerable attack surfaces, validate exploitability, and understand real impact beyond severity scores. The activity is fully hands-on, informal, and designed so people can join and leave at any time without falling behind.