🌐
OWASP
owasp.org › www-project-top-ten
OWASP Top Ten Web Application Security Risks | OWASP Foundation
Previous versions are available at OWASP Top Ten 2021 and OWASP Top 10 2017 (PDF).
HOME
OWASP Foundation, the Open Source Foundation for Application Security on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
ABOUT
About the OWASP Foundation on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
PROJECTS
The OWASP Top 10 is the reference standard for the most critical web application security risks.
CHAPTERS
OWASP Local Chapters on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
🌐
OWASP Foundation
owasp.org › Top10 › 2025
OWASP Top 10:2025
This is the 2025 version of the OWASP Top 10. This version includes updates based on the latest data and security trends.
Discussions

OWASP updated their Top 10 - a brand new #3
Broken access control stays NR. 1 Just the following three sink. Supply chain is a very relevant addition. And, in parts, logical. When design and injection etc go down, supply chain which has less controls goes up. I like it :) More on reddit.com
🌐 r/cybersecurity
14
108
November 12, 2025
OWASP is creating a top 10 dangers list for Large Language Models
Really glad to see this. LLMs are really useful when integrated into a product, but there's all kinds of new problems they introduce. As a plug, this was our approach in our feature we released in May: https://www.honeycomb.io/blog/hard-stuff-nobody-talks-about-llm#prompt_injection_is_an_unsolved_problem The output of our LLM call is non-destructive and undoable No human gets paged based on the output of our LLM call The LLM isn’t connected to our databases or any other service We parse the output of an LLM into a particular format and run validation against it By not having a chat UI, we make it annoying and difficult to “experiment” with prompt injection inputs and seeing what outputs get returned Our input textbox and allowed outputs are truncated We have rate limits per user, per day We're at least somewhat confident bad shit like customer data exfiltration won't happen. But I'm pretty positive we're going to have to react to something bad in the future. At a minimum, someone will get it to be racist somehow. More on reddit.com
🌐 r/programming
57
916
June 2, 2023
A complete OWASP API Top 10 Manual Testing Guide with vAPI
Nice, pretty comprehensive! Would like a video on the setup part if possible! More on reddit.com
🌐 r/netsec
6
68
December 11, 2024
Bank API 🏦 - modern API reference - now complies to OWASP API Security Top 10, CCPA and GDPR
Complies to OWASP Top 10 API Security Risks – 2023 - OWASP API Security Top 10 More on reddit.com
🌐 r/dotnet
52
172
December 21, 2024
🌐
OWASP
owasptopten.org
The OWASP Top Ten 2025
We asked ourselves whether we wanted to go with a single CWE for each "category" in the OWASP Top 10. Based on the contributed data, this is what it could have looked something like: 1. Reachable Assertion 2. Divide by Zero 3. Insufficient Transport Layer Encryption 4.
🌐
OWASP Foundation
owasp.org › Top10 › 2021
OWASP Top 10:2021
Welcome to the OWASP Top 10:2021 documentation.
🌐
Indusface
indusface.com › learning › owasp-top-10-vulnerabilities
OWASP Top 10:2025 : The Latest Changes and Enhancements
April 23, 2026 - Configuration mistakes in software stack, frameworks, platform, container, cloud or application settings that leave systems open or improperly secured. In OWASP Top 10 2025 this category has moved up to #2 (~3.00% of applications had one or ...
🌐
OWASP Foundation
owasp.org › Top10 › 2025 › 0x00_2025-Introduction
Introduction - OWASP Top 10:2025
In this edition of the Top Ten 2025, there are 248 CWEs within the 10 categories. There are a total of 968 CWEs in the downloadable dictionary from MITRE at the time of this release. Similar to what we did for the 2021 edition, we leveraged CVE data for Exploitability and (Technical) Impact.
Find elsewhere
🌐
OWASP
owasp.org › www-project-top-10-for-large-language-model-applications
OWASP Top 10 for Large Language Model Applications | OWASP Foundation
The OWASP Top 10 for Large Language Model Applications continues to be a core component of our work, identifying the most critical security vulnerabilities in LLM applications. Access the latest Top 10 for LLM: https://genai.owasp.org/llm-top-10/
🌐
Veracode
veracode.com › home › owasp top 10 vulnerabilities
What Are the OWASP Top 10 Vulnerabilities? | Veracode
December 18, 2025 - Q: What is the most common vulnerability today? A: As of the latest update, Broken Access Control (A01) is the most prevalent and severe risk in web applications, now ranked first on the list. For comprehensive guidance, refer to the official OWASP Top 10 documentation.
🌐
Cyber Press
cyberpress.org › home › owasp releases 2026 top 10 list featuring two new security categories
OWASP Releases 2026 Top 10 List Featuring Two New Security Categories
January 20, 2026 - The Open Web Application Security Project (OWASP) has officially released the eighth edition of its influential Top 10 security risks list for 2026, introducing significant changes that reflect the evolving landscape of application security threats.
🌐
GitHub
github.com › owasp › top10
GitHub - OWASP/Top10: Official OWASP Top 10 Document Repository · GitHub
Official OWASP Top 10 Document Repository · We have released the OWASP Top 10:2025 (Final): OWASP Top10:2025 · Please log any feedback, comments, or log issues here. OWASP Top10:2021 · OWASP Top 10:2017 (PPTX) OWASP Top 10:2017 (PDF) There ...
Starred by 5.9K users
Forked by 1.1K users
Languages   HTML 93.9% | Shell 2.9% | Python 1.8%
🌐
Security Journey
securityjourney.com › post › what-is-the-owasp-top-10-a-guide-to-the-top-ten-most-common-security-risks-in-coding
What Is the OWASP Top 10? Top 10 Vulnerabilities Explained
February 16, 2026 - As OWASP rolls out the Top 10:2025 (currently in Release Candidate status), you can expect some categories and names to evolve, particularly around software supply chain failures and modern misconfigurations, but the 2021 list is still the main ...
🌐
SecurityWall
securitywall.co › blog › owasp-top-10-web-app-update
OWASP Top 10 2026: Current Version, Full List & Changes
February 24, 2026 - Last verified: June 2026 The current OWASP Top 10 version is the 2021 edition. OWASP has not released a new Top 10 for web applications since 2021. If you've been told your web application pentest should be "OWASP-aligned" and almost every RFP ...
🌐
Cloudflare
cloudflare.com › learning › security › threats › owasp-top-10
What is OWASP? What Are The OWASP Top 10?
The OWASP Top 10 is a regularly updated report outlining security concerns for web application security, focusing on the 10 most critical risks. The report is put together by a team of security experts from all over the world.
🌐
GitLab
about.gitlab.com › blog › security › owasp top 10 2025: what's changed and why it matters
OWASP Top 10 2025: What's changed and why it matters
January 7, 2026 - Explore new supply chain and error handling risks, ranking shifts, and remediation strategies for all 10 categories. ... The OWASP Foundation has released the eighth edition of its influential "Top 10 Security Risks" list for 2025, introducing significant changes that reflect the evolving landscape of application security.
🌐
HHS.gov
hhs.gov › sites › default › files › owasp-top-10.pdf pdf
The OWASP Top 10 August 4, 2022 TLP: WHITE, ID# 202208041300 1
OWASP and the OWASP Top 10 · 3 · Source: OWASP · • Threat Brief: Web Application Attacks in · Healthcare · • Open Web Application Security Project (OWASP) Nonprofit foundation dedicated to improving · software security · Operates under an “open community” model, meaning that anyone can participate in and ·
🌐
Oligo Security
oligo.security › academy › breaking-down-owasp-top-10-for-web-apps-mobile-api-k8s-and-llms
Breaking Down OWASP Top 10 for Web Apps, Mobile, API, K8s & LLMs
The 2021 edition of the OWASP Top 10 introduced further refinements, grouping similar vulnerabilities to better reflect root causes, like "insecure design" and "software and data integrity failures."
🌐
Fastly
fastly.com › blog › new-2025-owasp-top-10-list-what-changed-what-you-need-to-know
The New 2025 OWASP Top 10 List: What Changed, and What You Need to Know | Fastly
November 18, 2025 - Updated every 4 years or so, the OWASP Top 10 reflects changes to the cybersecurity landscape, highlighting emerging threats. It lists Common Weakness Enumerations (CWEs), or common software and hardware weaknesses. The list serves as a reference standard that provides ranking of and remediation guidance for the top ten most critical application security risks.
🌐
Orca Security
orca.security › home › owasp top 10 list
OWASP Top 10: Web App Security Guide | Orca Security
September 19, 2025 - The OWASP Top 10 List is a regularly updated document that identifies the ten most critical web application security risks, based on data collected from security organizations and practitioners worldwide. Published by the Open Web Application Security Project (OWASP), this resource serves as a foundational reference for developers, security teams, and enterprises working to secure web applications.