Updated January 2025
Top 10 Vulnerabilities
Bugcrowd tracks the global vulnerability landscape based on the hundreds of thousands of vulnerability reports our platform processes annually—providing critical data for customers and hackers in reports, benchmarks, and recommendations.
For more insight about the vulnerability rankings below, see our annual Inside the Platform: Bugcrowd Vulnerability Trends report.
Reflected cross-site scripting (XSS)
XSS refers to an attacker’s ability to inject malicious code into a website’s context, with the code executing if an unsuspecting user clicks on it.
Disclosure of secrets
This can occur when a website or app doesn’t properly protect deployment secrets, tokens, PII, IP, and other sensitive info.
Insecure direct object reference (IDOR)
IDOR is present when an application allows an unauthorized user to reference an object to which they shouldn't have access.
Lack of security headers
This refers to the absence of security headers, such as for HSTS, Cache-Control, and Content-Security Policy, exposing web apps to various risks.
Failure to invalidate session
If the application fails to invalidate a session after a password is changed, it enables an attacker to continue using the compromised session.
Stored XSS
This arises when an application receives data from an untrusted source, and injects client-side scripts within the context of a user's browser session.
Content spoofing
When an app doesn’t handle user-supplied data safely, an attacker can supply their own content (typically via a parameter value) back to the user for nefarious purposes.
Open redirect
This enables an attacker to manipulate user input for the purpose of redirecting them to malicious websites
Directory listing enabled
Web servers that have directory listing enabled can allow attackers to easily identify the resources in a given path. for reconnaissance purposes.
Misconfigured DNS
This is present when a DNS is set up incorrectly in a way that could create the risk of an unauthorized takeover of DNS-specific technologies such as email, website hosting, and more.
Disclosure of secrets
This can occur when a website or application doesn’t properly protect deployment secrets, tokens, PII, IP, and other sensitive info.
Authentication bypass
This vuln is present when an attacker can circumvent website authentication in order to access restricted resources or gain unauthorized control.
Insecure direct object reference (IDOR)
IDOR is present when an application allows an unauthorized user to reference an object to which they shouldn't have access.
Remote code execution (RCE)
With RCE, an attacker can run arbitrary code on a target system remotely due to unvalidated user inputs, insecure APIs, misconfigurations, or other flaws.
SQL injection
This refers to when an attacker inserts malicious code into a SQL query in order to access, modify, or delete data, bypass authentication, or execute admin commands.
OAuth misconfiguration
An application that improperly implements or configures the OAuth authentication and authorization framework can create security vulnerabilities, such as exposure of OAuth tokens.
Stored XSS
This arises when an application receives data from an untrusted source, and injects client-side scripts within the context of a user's browser session.
File inclusion
A file inclusion flaw is present if an app allows an attacker to include files on the server through user input, typically by manipulating file paths in URLs or form fields.
DNS with critical impact
This vuln refers to the risk of a DNS disruption leading to lost revenue and/or severe reputational damage due to loss of application accessibility.
Misconfigured DNS
This is present when a DNS is set up incorrectly in a way that could create the risk of an unauthorized takeover of DNS-specific technologies such as email, website hosting, and more.
Sensitive data—hardcoded
This refers to the practice of embedding sensitive information, such as passwords, encryption keys, or API keys, directly inn application source code where attackers can easily find it.
Remote code execution (RCE)
With RCE, an attacker can run arbitrary code on a target system remotely due to unvalidated user inputs, insecure APIs, misconfigurations, or other flaws.
Second factor authentication
A second-factor authentication (2FA) flaw, such as the ability to bypass 2FA or insecurely stored 2FA-related data, can create a significant risk.
Content spoofing
When an app doesn’t handle user-supplied data safely, an attacker can supply (“spoof”) their own content (typically via a parameter value) back to the user for nefarious purposes.
Authentication bypass
This vuln is present when an attacker can circumvent website authentication in order to access restricted resources or gain unauthorized control.
SQL injection
This refers to when an attacker inserts malicious code into a SQL query in order to access, modify, or delete data, bypass authentication, or execute admin commands.
Command injection
Command injection occurs when an attacker injects and executes arbitrary commands by exploiting an insecure system that passes user input to a command-line interface or shell.
Disclosure of secrets
This arises when a website or application doesn’t properly protect deployment secrets, tokens, PII, IP, and other sensitive info.
XML external entity injection (XXE)
XXE refers to the ability of an attacker to manipulate XML input and exploit the app’s XML parser to access resources on the server.
Path traversal
This flaw allows an attacker to access files and directories outside the intended scope of an application—potentially accessing sensitive files or data.