Safeguard
Application Security

OWASP Top 10 vulnerabilities explained

A breakdown of all 10 OWASP Top 10 categories with real CVEs (Log4Shell, Equifax, Heartbleed) mapped to each, and stats on which risks hit production most.

James
Principal Security Architect
Updated 6 min read

The OWASP Top 10 is the most cited vulnerability list in application security, but most explainers just restate the category names without answering the questions security teams actually have: which of these flaws show up most in real breaches, how the list changes over time, and what to do about it in a modern CI/CD pipeline. OWASP last published a full revision in 2021, built from contributed data on more than 500,000 applications and mapped against 400+ CWEs. Broken Access Control (A01) topped that list, appearing in some form in 94% of tested applications. This post breaks down each category, ties them to real CVEs like Log4Shell (CVE-2021-44228) and the Equifax breach (CVE-2017-5638), and explains how reachability analysis changes which of these OWASP vulnerabilities actually deserve a sprint.

What is the OWASP Top 10?

The OWASP Top 10 is a standardized awareness document, published by the nonprofit Open Web Application Security Project, that ranks the most critical security risks to web applications. It is not a compliance checklist or a scanner ruleset — it's a consensus report built from a combination of industry-contributed vulnerability data and a practitioner survey. OWASP has released full revisions in 2003, 2004, 2007, 2010, 2013, 2017, and 2021, with the 2021 edition remaining the current reference version as of mid-2026. Each category bundles multiple related CWEs (Common Weakness Enumerations) rather than describing one specific bug, which is why "Injection" covers SQL injection, command injection, and LDAP injection under a single heading.

What are the 10 categories in the OWASP Top 10 (2021)?

The 2021 list, in order, is: A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection, A04 Insecure Design, A05 Security Misconfiguration, A06 Vulnerable and Outdated Components, A07 Identification and Authentication Failures, A08 Software and Data Integrity Failures, A09 Security Logging and Monitoring Failures, and A10 Server-Side Request Forgery. Three of these — Insecure Design, Software and Data Integrity Failures, and SSRF — were new additions in 2021, reflecting a shift toward supply chain and architectural risk rather than purely code-level bugs. A06, Vulnerable and Outdated Components, was previously ranked lower on the 2017 list but moved up as dependency-related incidents like Log4Shell (disclosed December 10, 2021, just weeks after the list published) made third-party component risk impossible to ignore.

Which category is most common in real-world applications?

Broken Access Control is the most common category, found in some form across 94% of the applications OWASP's contributors tested for it in the 2021 dataset, with an average incidence rate of 3.81% and over 318,000 total occurrences across 34 mapped CWEs — the highest of any category. This covers failures like insecure direct object references (IDOR), privilege escalation through parameter tampering, and missing function-level access checks. A widely cited example is the 2019 Capital One breach (affecting over 100 million customers), which stemmed from a misconfigured web application firewall that allowed a server-side request forgery attack to reach IAM credentials with excessive access — a combination of A01 and A10 in the 2021 taxonomy. Injection, the long-standing top category before 2021, was tested in a similarly high 94% of applications but had a lower incidence rate of 3.37%, which is why it dropped to A03.

How does Injection differ from Broken Access Control?

Injection is a data-handling flaw where untrusted input is interpreted as executable code or commands, while Broken Access Control is an authorization flaw where the system fails to enforce who can do what. A SQL injection vulnerability lets an attacker manipulate a query — for example, the 2017 Equifax breach traced back to CVE-2017-5638, an Apache Struts2 remote code execution flaw exploited via a malicious Content-Type header, exposing data on 147 million people. Broken access control, by contrast, doesn't require corrupting input at all; it exploits missing or misconfigured checks on requests that are otherwise well-formed, such as changing a user ID in a URL to view another account's records. Both can lead to full compromise, but injection is fixed with input validation and parameterization, while access control failures require centralized, deny-by-default authorization logic — a design fix, not a filter.

What CVEs map to specific OWASP Top 10 categories?

Several of the highest-impact CVEs of the last decade map cleanly onto specific 2021 categories. CVE-2021-44228 (Log4Shell) is a Vulnerable and Outdated Components (A06) issue at its root — a remote code execution flaw in the ubiquitous Log4j logging library, disclosed in December 2021 and still being scanned for in 2026 because it shipped transitively inside thousands of Java applications. CVE-2017-5638 (Apache Struts2, the Equifax breach) also falls under A06. CVE-2014-0160, better known as Heartbleed, is a Cryptographic Failures (A02) issue in OpenSSL that exposed private keys and session data across an estimated 17% of the internet's HTTPS servers at disclosure. SolarWinds' 2020 Orion supply chain compromise is the canonical Software and Data Integrity Failures (A08) example, where a build-system compromise let attackers inject malicious code (SUNBURST) into signed, trusted software updates delivered to roughly 18,000 customers. Mapping a CVE to a category matters operationally because it tells you which control family — input handling, dependency management, build integrity — actually needs to change.

How often does OWASP update the Top 10, and what's changing next?

OWASP has updated the Top 10 roughly every three to four years since 2010, with releases in 2010, 2013, 2017, and 2021, and community review cycles for a next revision underway since 2023. The gap between releases means the list lags emerging risk categories by design — API-specific risks were split into a separate OWASP API Security Top 10 in 2019 precisely because REST and GraphQL APIs introduced failure modes (like excessive data exposure and lack of resource rate limiting) that didn't fit cleanly into the web-app-centric 2017 list. Teams that wait for a full OWASP revision to reprioritize are typically a full CVE cycle behind; Log4Shell, Heartbleed, and the SolarWinds compromise all hit production systems between official list updates, which is why mapping live CVE and SBOM data to these categories continuously matters more than the triennial document itself.

How Safeguard Helps

Safeguard maps OWASP Top Ten vulnerabilities directly onto the findings in your generated and ingested SBOMs, so a Log4Shell-class A06 finding or a Heartbleed-class A02 finding is tagged with the exact category and severity context your compliance and engineering teams both need. Reachability analysis then filters that list down to the components whose vulnerable code paths are actually invoked by your application, cutting the noise that makes teams triage hundreds of theoretical A03 and A06 findings a month. Griffin AI, Safeguard's reasoning engine, correlates reachable findings with exploit maturity and your existing access control and authentication posture to prioritize what genuinely resembles an A01 or A07 exposure versus a low-risk finding. When a fix is available, Safeguard opens an auto-fix pull request with the minimal version bump or patch needed, so remediation for supply chain-rooted OWASP categories like A06 and A08 ships in minutes instead of sitting in a backlog.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.