CHANGELOG

What's new in
Breachforge.

A running log of platform releases — new challenges, new labs, infrastructure changes, and fixes. Ordered newest first. Dates reflect the calendar day the release landed on the main branch.

Apr 16 2026
v0.4.0 Latest Rebrand

Breachforge release — platform rename, flag submission, new flag format.

• Changed
  • Renamed the platform from Polyglot Vulnerability Lab (PVL) to Breachforge. All UI, docs, and internal references updated.
  • Flag format migrated from PVL{...} to BF{...} (HMAC-signed). Every challenge and lab flag is now cryptographically generated at startup.
  • Environment variable for host port renamed from PVL_PORT to BREACHFORGE_PORT. Default remains 8080.
• Added
  • Flag submission widget on every live lab card — paste the flag you recover and the page validates it client-side via SHA-256.
  • Progress counter on the Labs page tracking how many of the 4 live labs you've captured this session.
  • Captures persist across reloads via localStorage under breachforge.captured.labs.
  • Documentation, Changelog, and Support pages reachable from the site footer.
  • Footer "Stacks" links now filter the Challenges grid by language on click.
• Fixed
  • Lab card footers now render correctly on narrow viewports (flag input no longer overflows on iPhone SE widths).
  • MicroHub (Lab 04) landing page now inherits the dark theme instead of rendering as raw unstyled HTML.
Feb 2026
v0.3.0

Attack labs — first four multi-vuln chains go live.

• Added
  • Lab 01 — Nimbus. File-sharing SaaS with auth bypass → IDOR → stored XSS → admin session hijack.
  • Lab 02 — MarketOne. E-commerce stack with price tampering → JWT forgery → order manipulation.
  • Lab 03 — Corely. HR portal with SSRF → metadata exfil → S3 key leak → lateral movement.
  • Lab 04 — MicroHub. Internal platform with NoSQLi → SSRF → zip-slip → IDOR to read the treasury user's premium invoice.
  • Labs page with difficulty tier, stack stack breakdown, and vulns-per-lab meta.
  • Headless Chromium admin bot containers powering realistic "victim opens email" interactions.
Nov 2025
v0.2.0

Node.js stack — full challenge set rounded out.

• Added
  • 10 Node.js + Express challenges: prototype pollution, NoSQL injection, JWT alg=none, open redirect, SSRF, eval sinks, insecure deserialization, and more.
  • Three-tier difficulty selector (Low / Medium / High) on every challenge — same bug, different levels of hardening.
  • Detail overlay with technique notes and launch button.
• Changed
  • Hub styling reworked around a single design system (Plus Jakarta + DM Sans + orange/blue accent).
  • Bento grid replaces the legacy feature-tile layout.
Aug 2025
v0.1.0

Initial release — PHP and Python challenges.

• Added
  • 10 PHP challenges (LFI, SQLi, unrestricted upload, session fixation, deserialization, XXE, and more).
  • 10 Python/Flask challenges (SSTI, SSRF, pickle, JWT misuse, path traversal, weak crypto).
  • Docker Compose orchestration with nginx reverse proxy, MySQL, and MongoDB.
  • Landing page, stack filter, and basic challenge launcher.