Executive Summary This document presents a technical security assessment of VAPI, a deliberately vulnerable API application designed to simulate the OWASP API Security Top 10 (2019). The assessment was conducted in a self-hosted lab environment with the objective of identifying, exploiting, and documenting each vulnerability class, as well as providing actionable remediation guidance for each. Over the course of this assessment, all ten OWASP API vulnerability categories were successfully exploited, along with three additional Arena challenges covering JSON Web Token (JWT) manipulation, Server-Side Request Forgery (SSRF), and Cross-Site Scripting (XSS) injection. A total of thirteen distinct security findings were confirmed. The findings range in severity from Critical to Low. The most severe vulnerabilities Broken Object Level Authorization (API1), SQL Injection (API8), and Broken Authentication via credential stuffing (API2) represent attack vectors that, in a production environment, could result in full database compromise, complete account takeover, and mass unauthorized data disclosure. These three findings alone would constitute a critical risk posture for any organization operating an API with similar weaknesses. ...