Web vulnerabilities: complete OWASP Top 10 guide for 2026

Why the OWASP Top 10 still matters in 2026

The OWASP Top 10 is the industry-standard ranking of web application vulnerabilities. Published by the Open Web Application Security Project, it gets updated every three to four years. The latest official version dates from 2021, but its categories remain fully relevant in 2026. At CleanIssue, every external review begins with a systematic check of all ten categories.

A01: Broken Access Control

The number one vulnerability since 2021. This covers IDORs, horizontal and vertical access control bypasses, and missing function-level checks. In practice, user A accesses user B's data by modifying a parameter in the URL or request body. Example: GET /api/invoices/1042 returns another customer's invoice if the server doesn't verify ownership.

What we check: every exposed endpoint is tested with a user who doesn't own the requested resource.

A02: Cryptographic Failures

Formerly Sensitive Data Exposure. This covers plaintext password storage, missing TLS on sensitive data flows, and obsolete hashing algorithms like MD5 or SHA1 without salt. We still find applications storing tokens in localStorage without encryption and transmitting health data over HTTP.

A03: Injection

SQL injection is still around, but this category also covers NoSQL, LDAP, OS command, and ORM injections. Any user data inserted into a query without parameterization is a vector. Modern ORMs reduce the attack surface but don't eliminate it: raw queries in Laravel (DB::raw()) or Django (extra()) remain dangerous.

A04: Insecure Design

Added in 2021, this targets architectural flaws. A password reset system using a 4-digit code with no attempt limiting isn't an implementation bug, it's a design flaw. No technical fix compensates for an architecture built without a threat model.

A05: Security Misconfiguration

Missing HTTP headers (X-Frame-Options, Content-Security-Policy), verbose error pages, debug features enabled in production, overly permissive default settings on S3 buckets or Supabase databases without RLS. This is the most frequent category in our SMB audits.

A06: Vulnerable and Outdated Components

Running a version of jQuery with a known XSS, a WordPress plugin unmaintained for two years, or a Docker image based on an end-of-life OS. Dependency management is an ongoing process, not a one-time event.

A07: Identification and Authentication Failures

Sessions that don't invalidate on logout, no brute force protection, JWT tokens without expiration, weak passwords accepted. We regularly find applications that accept password123 as a valid password.

A08: Software and Data Integrity Failures

This category includes insecure CI/CD pipelines and unsafe deserialization. An attacker who compromises an npm package used by your application can inject arbitrary code. This is exactly what happened with event-stream in 2018 and xz-utils in 2024.

A09: Security Logging and Monitoring Failures

If nobody detects an intrusion, the attacker operates freely. No authentication logs, no alerts on mass 403 errors, no monitoring of abnormal API access. Most SMBs we audit have no detection system whatsoever.

A10: Server-Side Request Forgery (SSRF)

The attacker forces the server to make requests to internal resources. In cloud environments, this often means reaching the metadata service (169.254.169.254) and retrieving IAM credentials. This is the flaw that enabled the Capital One breach in 2019.

Where to start

Before running a scanner, manually check the first five categories. They account for over 80% of the critical flaws we find. A CleanIssue external review systematically covers all ten categories. Request your audit call to understand your exposure.