Also known as: OWASP Top 10:2025, OWASP 2025
Definition
The OWASP Top 10 is the consensus list of the ten most critical web application security risks, updated by the Open Worldwide Application Security Project. The 2025 edition (current as of 2026) includes Broken Access Control as A01, Cryptographic Failures as A02, and a new A10 for Mishandling of Exceptional Conditions.
A consensus list maintained by OWASP, the Open Worldwide Application Security Project. The list ranks the ten most impactful and prevalent web app vulnerability categories based on data from hundreds of organizations. It is updated every three to four years; the 2025 edition replaced the 2021 one.
SSRF moved into A01 Broken Access Control, Supply Chain Failures moved to #3 from a sub-category of A06, A10 Mishandling of Exceptional Conditions is new for 2025, and the wording of A09 changed from "Logging and Monitoring" to "Logging and Alerting" to emphasize operational signal over forensic-only logs.
A01 (broken access control) maps to RLS-off tables and IDOR via userId-from-payload. A02 (cryptographic failures) maps to service_role in client bundle and trusting getSession. A05 (injection) maps to XSS, CSRF, and SQL injection via raw RPC EXECUTE. Each category has a known architectural fix at the SecureStartKit layer rather than a per-route patch.