// owasp_hub / top_10_explorer

Top 10 Explorer

Browse all OWASP Top 10 lists covering web (2021 & 2025), API, mobile, GenAI/LLM, CI/CD, and cloud-native security risks.

Top 10 Web Application

// 10 risks · 2025 edition · official page →

● Critical #1–3● High #4–10

A01CRITICAL

#01

Broken Access Control

Access control enforces policy such that users cannot act outside their intended permissions. Still the #1 risk moving to more granular, data-centric enforcement is now the standard expectation.

CWE-200CWE-201CWE-352

[ read_more ][ view_cwe ]

A02CRITICAL

#02

Security Misconfiguration

Insecure default configurations, misconfigured cloud storage, verbose error messages, and enabled unnecessary features. Moved up from #5 in 2021 as cloud and IaC sprawl has made misconfiguration the leading attack surface.

CWE-16CWE-611

[ read_more ][ view_cwe ]

A03CRITICAL

#03

Software Supply Chain Failures

NEW in 2025. Vulnerabilities introduced through third-party libraries, open-source dependencies, build tooling, or compromised update mechanisms. Covers SCA, SBOM, and dependency confusion attacks.

CWE-1104CWE-494

[ read_more ][ view_cwe ]

A04HIGH

#04

Cryptographic Failures

Failures related to cryptography that expose sensitive data: weak algorithms, improper key management, missing TLS, and storing data in cleartext. Formerly 'Sensitive Data Exposure' refocused on the cryptographic root cause.

CWE-259CWE-327CWE-331

[ read_more ][ view_cwe ]

A05HIGH

#05

Injection

Untrusted data sent to an interpreter as part of a command or query. SQL, NoSQL, OS, LDAP, and expression language injection can result in data exfiltration, corruption, or full server takeover.

CWE-79CWE-89CWE-73

[ read_more ][ view_cwe ]

A06HIGH

#06

Insecure Design

Missing or ineffective control design a broad category requiring threat modeling, secure design patterns, and reference architectures during development, not just testing at the end.

CWE-73CWE-183CWE-209

[ read_more ][ view_cwe ]

A07HIGH

#07

Authentication Failures

Flaws in authentication and session management that allow attackers to assume other users' identities. Covers credential stuffing, weak passwords, missing MFA, and session fixation. Renamed from 'Identification and Authentication Failures'.

CWE-297CWE-287CWE-384

[ read_more ][ view_cwe ]

A08HIGH

#08

Software or Data Integrity Failures

Code and infrastructure that does not protect against integrity violations insecure deserialization, auto-update without signature verification, and CI/CD pipeline poisoning.

CWE-829CWE-494CWE-502

[ read_more ][ view_cwe ]

A09HIGH

#09

Security Logging and Alerting Failures

Insufficient logging, monitoring, and alerting allows breaches to go undetected. Renamed 'Alerting' to emphasize the need for active notification pipelines, not just passive log collection.

CWE-778CWE-117CWE-223

[ read_more ][ view_cwe ]

A10HIGH

#10

Mishandling of Exceptional Conditions

NEW in 2025. Applications that crash, expose stack traces, enter undefined states, or silently swallow errors give attackers insight into internals or allow them to bypass security controls through error-path manipulation.

CWE-390CWE-755CWE-460

[ read_more ][ view_cwe ]