At a glance: Pwn2Own Berlin 2026 concluded with $1.3 million in prize money and 47 zero-day vulnerabilities discovered. Team DEVCORE won with $505,000, while Orange Tsai received the highest individual reward of $200,000 for a Microsoft Exchange exploitation.
At the Pwn2Own Berlin 2026 hacking competition, security researchers earned $1,298,250 by exploiting 47 previously unknown security vulnerabilities in enterprise technologies and artificial intelligence.
The competition took place from May 14–16 at the OffensiveCon conference and focused on enterprise technologies and artificial intelligence. The hackers targeted fully patched products across the categories of web browsers, enterprise applications, privilege escalation, servers, local inference, cloud-native/container environments, virtualization, and large language models.
DEVCORE won the competition with 50.5 Master-of-Pwn points and $505,000 in prize money following successful attacks on Microsoft SharePoint, Exchange, Edge, and Windows 11. Cheng-Da Tsai (Orange Tsai) from the DEVCORE team received the highest individual reward of $200,000 for an exploitation of Microsoft Exchange with remote code execution at SYSTEM privileges by chaining three bugs. Other notable exploits were conducted against Windows 11, Red Hat Linux, NVIDIA Container Toolkit, and VMware ESXi.
Prize distribution: Day one brought $523,000 for 24 zero-days, day two $385,750 for 15 vulnerabilities, and day three $389,500 for eight additional zero-days. STARLabs SG achieved second place with $242,500 ($25 points), followed by Out Of Bounds with $95,750 (12.75 points).
Following the competition, affected vendors have 90 days to publish security patches before TrendMicro’s Zero Day Initiative (ZDI) publicly discloses the vulnerabilities.