Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user’s limits.

Failures related to cryptography (or lack thereof) which often lead to exposure of sensitive data. Previously known as Sensitive Data Exposure.

An application is vulnerable to attack when user-supplied data is not validated, filtered, or sanitized by the application. Includes SQL, NoSQL, OS command, LDAP injection.

A broad category representing different weaknesses, expressed as "missing or ineffective control design." Focuses on risks related to design and architectural flaws.

Applications missing appropriate security hardening across any part of the application stack, or improperly configured permissions on cloud services.

You are likely vulnerable if you do not know the versions of all components you use; if software is vulnerable, unsupported, or out of date.

Confirmation of the user’s identity, authentication, and session management is critical to protect against authentication-related attacks.

Code and infrastructure that does not protect against integrity violations. CI/CD pipelines without proper integrity verification, auto-update without verification.

This category is to help detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected.

SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL.