Learning about Exploitation using VMs. What vulnerabilities should I be implementing? [closed]

Recently, I’ve been working on a project to learn a little bit about the exploitation of vulnerable systems (kind of like vulnhub). Problem is, I want to do it DIY (learn more about configuration / setup this way), but I don’t really know what vulnerabilities to implement on a "victim" Debian machine that I will "attack" with Kali Linux (all in VMs at the moment).

What I’m looking for: Vulnerabilities that are seen commonly in real-world production environments. Misconfigurations or bugs in common programs / operating systems. I want to simulate something realistic — not too vulnerable yet still vulnerable enough to exploit and learn something. That’s not necessarily to say that Remote Code Exec and Priv Esc are unwanted; I just want to limit the number of those kinds of vulns to make my attack paths more interesting.

In other words, what general kinds of exploits or programs (OpenSMTPD, PHP stuff, etc.) that have historically been pretty vulnerable are there that I can install / configure onto my vulnerability lab and play around with? If applicable, a corresponding CVE would be really helpful too. Shoot me with your recommendations.