List of software CVE's with some "testing code" alongside an "testable" real web app implementing these vulnerabilities.
Command Injections:
C
1. CVE-2016โ3714 ==> Imagetragick RCE
Argument Injections:
PHP
1. CVE-2016-10033 ==> PHPMailer + Wordpress 4.6 RCE
Code Injections:
JAVA
1. S2-046_CVE-2017-5638 ==> Struts2 OGNL Injection Content-Length+Filename