Pwn2Own reveals 47 zero-days

Pwn2Own Berlin closed on May 16 with 47 unique zero-day vulnerabilities demonstrated against enterprise software, browsers, operating systems and a new set of AI-focused targets, according to Trend Micro’s Zero Day Initiative, which runs the contest. The three-day event awarded $1,298,250 to researchers who successfully exploited products including VMware ESXi, Microsoft SharePoint, Microsoft Edge, OpenAI Codex, Cursor and Anthropic Claude Code. ZDI said the contest was held during OffensiveCon in Berlin from May 14 to May 16. ### Which products were actually hacked on stage? Microsoft Edge, Microsoft SharePoint, VMware ESXi and OpenAI Codex were among the products successfully exploited during the event, ZDI’s day-by-day results show. On the first day, Orange Tsai of DEVCORE chained four logic bugs to escape the Microsoft Edge sandbox for a $175,000 award, while Compass Security used a single CWE-150 bug to exploit OpenAI Codex for $40,000. (zerodayinitiative.com) Cursor, Anthropic Claude Code and VMware ESXi also appeared in successful demonstrations later in the contest. On May 15, Le Duc Anh Vu of Viettel Cyber Security exploited Cursor for $30,000, and Sina Kheirkhah of Summoning Team exploited OpenAI Codex for $20,000. On May 16, Nguyen Hoang Thach of STARLabs SG exploited VMware ESXi with the cross-tenant code execution add-on for $200,000, while Compass Security hit a collision on Claude Code with a previously used bug. (zerodayinitiative.com) ### Why are some results called “success” and others “collision”? ZDI’s posted results distinguish between full wins and “collision” cases. A success means the researcher demonstrated a qualifying exploit under contest rules. A collision means the exploit worked on stage, but at least one bug used in the chain had already been reported or was previously known, reducing the payout and points. That is why some Claude Code and OpenAI Codex entries still received money even when they were not counted as fully new findings. (zerodayinitiative.com) ### How large was the prize pool, and who won the event? ZDI said the final prize total reached $1,298,250 across the three days. The largest single award in the published final results was $200,000 for STARLabs SG’s VMware ESXi exploit with a cross-tenant code execution add-on. DEVCORE finished first in the Master of Pwn standings with 50.5 points and $505,000, according to ZDI. (zerodayinitiative.com) STARLabs SG placed second with 25 points and $242,500, and Out Of Bounds finished third with 12.75 points and $95,750. ### Why were AI coding tools part of Pwn2Own this year? ZDI said before the event that the 2026 Berlin contest added enterprise-focused AI categories including AI databases, coding agents and local inference systems. (zerodayinitiative.com) The official schedule listed coding-agent targets and other AI systems alongside more established categories such as web browsers, servers, virtualization and operating systems. Day-one and day-two results show those AI categories produced successful exploits against OpenAI Codex, Cursor, Claude Desktop and Claude Code. That made the AI tooling part of the contest a published target set rather than a side demonstration. ### What happens now for Microsoft, VMware and the AI vendors? The Pwn2Own Berlin 2026 rules say the contest ran from May 14 through May 16, after which affected vendors receive the vulnerability details under the program’s disclosure process. (zerodayinitiative.com) ZDI and outside coverage of the event said vendors now have a 90-day window to investigate and prepare fixes or advisories before public technical disclosure. (zerodayinitiative.com) The next public milestones are likely to be vendor security updates and ZDI write-ups tied to the reported bugs. Microsoft, VMware, OpenAI, Anthropic and other affected vendors now move into the remediation phase set by the contest rules. (zerodayinitiative.com)