OWASP
owasp.org › www-project-top-ten
OWASP Top Ten Web Application Security Risks | OWASP Foundation
Previous versions are available at OWASP Top Ten 2021 and OWASP Top 10 2017 (PDF).
HOME
OWASP Foundation, the Open Source Foundation for Application Security on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
ABOUT
About the OWASP Foundation on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
PROJECTS
The OWASP Top 10 is the reference standard for the most critical web application security risks.
CHAPTERS
OWASP Local Chapters on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
OWASP Foundation
owasp.org › Top10 › 2025
OWASP Top 10:2025
This is the 2025 version of the OWASP Top 10. This version includes updates based on the latest data and security trends.
OWASP updated their Top 10 - a brand new #3
Broken access control stays NR. 1 Just the following three sink. Supply chain is a very relevant addition. And, in parts, logical. When design and injection etc go down, supply chain which has less controls goes up. I like it :) More on reddit.com
OWASP is creating a top 10 dangers list for Large Language Models
Really glad to see this. LLMs are really useful when integrated into a product, but there's all kinds of new problems they introduce. As a plug, this was our approach in our feature we released in May: https://www.honeycomb.io/blog/hard-stuff-nobody-talks-about-llm#prompt_injection_is_an_unsolved_problem The output of our LLM call is non-destructive and undoable No human gets paged based on the output of our LLM call The LLM isn’t connected to our databases or any other service We parse the output of an LLM into a particular format and run validation against it By not having a chat UI, we make it annoying and difficult to “experiment” with prompt injection inputs and seeing what outputs get returned Our input textbox and allowed outputs are truncated We have rate limits per user, per day We're at least somewhat confident bad shit like customer data exfiltration won't happen. But I'm pretty positive we're going to have to react to something bad in the future. At a minimum, someone will get it to be racist somehow. More on reddit.com
A complete OWASP API Top 10 Manual Testing Guide with vAPI
Nice, pretty comprehensive! Would like a video on the setup part if possible! More on reddit.com
Bank API 🏦 - modern API reference - now complies to OWASP API Security Top 10, CCPA and GDPR
Complies to OWASP Top 10 API Security Risks – 2023 - OWASP API Security Top 10 More on reddit.com
Videos
What's New in 2025 OWASP Top 10?
06:51
OWASP Top 10 2025 explained: What it is, what changed, and how ...
10:15
OWASP top 10 Explained - YouTube
24:36
OWASP Top 10 2025: Your complete guide to securing your applications ...
10:41
The ALL NEW OWASP top 10 - 2025 edition RC 1 - YouTube
OWASP
owasptopten.org
The OWASP Top Ten 2025
We asked ourselves whether we wanted to go with a single CWE for each "category" in the OWASP Top 10. Based on the contributed data, this is what it could have looked something like: 1. Reachable Assertion 2. Divide by Zero 3. Insufficient Transport Layer Encryption 4.
OWASP Foundation
owasp.org › Top10
OWASP Top 10:2025 RC1
Redirecting to OWASP Top 10:2025.
Reddit
reddit.com › r/cybersecurity › owasp updated their top 10 - a brand new #3
r/cybersecurity on Reddit: OWASP updated their Top 10 - a brand new #3
November 12, 2025 -
Just saw the OWASP updated Top 10. Injection vulnerabilities dropped from #1 to #3. Broken access control took the top spot.
https://owasp.org/Top10/2025/0x00_2025-Introduction/
Top answer 1 of 5
34
Broken access control stays NR. 1 Just the following three sink. Supply chain is a very relevant addition. And, in parts, logical. When design and injection etc go down, supply chain which has less controls goes up. I like it :)
2 of 5
25
I appreciate this might be controversial and I confess I am in two minds myself. OWASP top 10 seems to be moving towards a kind of yet-another management/process list and less of actual technical vulnerabilities from, say, actual code - like SQLi or XSS. I don't think the world needa another NIST CSF or ISO 27001. My 2cents/pence.
OWASP Foundation
owasp.org › Top10 › 2021
OWASP Top 10:2021
Welcome to the OWASP Top 10:2021 documentation.
Indusface
indusface.com › learning › owasp-top-10-vulnerabilities
OWASP Top 10:2025 : The Latest Changes and Enhancements
April 23, 2026 - Configuration mistakes in software stack, frameworks, platform, container, cloud or application settings that leave systems open or improperly secured. In OWASP Top 10 2025 this category has moved up to #2 (~3.00% of applications had one or ...
OWASP Foundation
owasp.org › Top10 › 2025 › 0x00_2025-Introduction
Introduction - OWASP Top 10:2025
In this edition of the Top Ten 2025, there are 248 CWEs within the 10 categories. There are a total of 968 CWEs in the downloadable dictionary from MITRE at the time of this release. Similar to what we did for the 2021 edition, we leveraged CVE data for Exploitability and (Technical) Impact.
OWASP
owasp.org › www-project-top-10-for-large-language-model-applications
OWASP Top 10 for Large Language Model Applications | OWASP Foundation
The OWASP Top 10 for Large Language Model Applications continues to be a core component of our work, identifying the most critical security vulnerabilities in LLM applications. Access the latest Top 10 for LLM: https://genai.owasp.org/llm-top-10/
GitHub
github.com › owasp › top10
GitHub - OWASP/Top10: Official OWASP Top 10 Document Repository · GitHub
Official OWASP Top 10 Document Repository · We have released the OWASP Top 10:2025 (Final): OWASP Top10:2025 · Please log any feedback, comments, or log issues here. OWASP Top10:2021 · OWASP Top 10:2017 (PPTX) OWASP Top 10:2017 (PDF) There ...
Starred by 5.9K users
Forked by 1.1K users
Languages HTML 93.9% | Shell 2.9% | Python 1.8%
SecurityWall
securitywall.co › blog › owasp-top-10-web-app-update
OWASP Top 10 2026: Current Version, Full List & Changes
February 24, 2026 - Last verified: June 2026 The current OWASP Top 10 version is the 2021 edition. OWASP has not released a new Top 10 for web applications since 2021. If you've been told your web application pentest should be "OWASP-aligned" and almost every RFP ...
GitLab
about.gitlab.com › blog › security › owasp top 10 2025: what's changed and why it matters
OWASP Top 10 2025: What's changed and why it matters
January 7, 2026 - Explore new supply chain and error handling risks, ranking shifts, and remediation strategies for all 10 categories. ... The OWASP Foundation has released the eighth edition of its influential "Top 10 Security Risks" list for 2025, introducing significant changes that reflect the evolving landscape ...
HHS.gov
hhs.gov › sites › default › files › owasp-top-10.pdf pdf
The OWASP Top 10 August 4, 2022 TLP: WHITE, ID# 202208041300 1
OWASP and the OWASP Top 10 · 3 · Source: OWASP · • Threat Brief: Web Application Attacks in · Healthcare · • Open Web Application Security Project (OWASP) Nonprofit foundation dedicated to improving · software security · Operates under an “open community” model, meaning that anyone can participate in and ·
Fastly
fastly.com › blog › new-2025-owasp-top-10-list-what-changed-what-you-need-to-know
The New 2025 OWASP Top 10 List: What Changed, and What You Need to Know | Fastly
November 18, 2025 - Updated every 4 years or so, the OWASP Top 10 reflects changes to the cybersecurity landscape, highlighting emerging threats. It lists Common Weakness Enumerations (CWEs), or common software and hardware weaknesses. The list serves as a reference standard that provides ranking of and remediation guidance for the top ten most critical application security risks.
Orca Security
orca.security › home › owasp top 10 list
OWASP Top 10: Web App Security Guide | Orca Security
September 19, 2025 - The OWASP Top 10 List is a regularly updated document that identifies the ten most critical web application security risks, based on data collected from security organizations and practitioners worldwide. Published by the Open Web Application Security Project (OWASP), this resource serves as a foundational reference for developers, security teams, and enterprises working to secure web applications.