What is the OWASP Top 10?
Last reviewed June 2, 2026
The OWASP Top 10 is a widely used, periodically updated awareness document that lists the ten most critical security risks to web applications. Maintained by the Open Worldwide Application Security Project (OWASP), each entry is a risk category (for example, A01 Broken Access Control or A03 Injection) that maps to one or more underlying CWE weaknesses.
What the OWASP Top 10 is
The OWASP Top 10 is a standard awareness document for developers and application security teams. It represents a broad consensus on the most critical security risks facing web applications, gathered from contributed data and community surveys. It is intended as a baseline: addressing the Top 10 is a minimum for moving toward more secure code.
Each entry is a risk category rather than a single bug. Categories group related weaknesses, so a category like Injection covers several CWEs that share a common theme.
The OWASP Top 10 (2021 edition)
The 2021 edition reorganized and renamed several categories from prior years. The categories, in order, are:
- A01 - Broken Access Control.
- A02 - Cryptographic Failures.
- A03 - Injection (including cross-site scripting).
- A04 - Insecure Design.
- A05 - Security Misconfiguration.
- A06 - Vulnerable and Outdated Components.
- A07 - Identification and Authentication Failures.
- A08 - Software and Data Integrity Failures.
- A09 - Security Logging and Monitoring Failures.
- A10 - Server-Side Request Forgery (SSRF).
How the OWASP Top 10 maps to CWE
Each OWASP Top 10 category is backed by a set of CWE weakness types. For instance, the Injection category maps to CWEs including CWE-79 (Cross-site Scripting) and CWE-89 (SQL Injection), and Broken Access Control maps to CWEs such as CWE-22 (Path Traversal). This mapping connects the high-level risk framing to the precise weaknesses developers fix in code.
OWASP Top 10 vs CWE Top 25
The two lists are complementary but different. The OWASP Top 10 is web-application focused and organizes risks into categories chosen by consensus and contributed data. The CWE Top 25 is a data-driven ranking of individual weakness types across all software, derived from CVE, NVD, and KEV data.
Use the OWASP Top 10 to frame web application security programs and developer training, and the CWE Top 25 to prioritize specific weakness patterns across your broader software portfolio.
Keep exploring
- CWE Top 25The data-driven weakness ranking to compare against.
- What is a CWE?The weakness types behind each OWASP category.
- Browse the CWE directoryExplore the CWEs mapped to OWASP categories.
- What is a CVE?The specific instances these risks produce.
- What is broken access control?OWASP A01: acting outside your permissions.
- What is XXE?XML external entity injection and its impact.
- What is clickjacking?UI redress attacks via invisible frames.
- What is an open redirect?Unvalidated redirects abused for phishing.
Frequently asked questions
- Who maintains the OWASP Top 10?
- It is maintained by the Open Worldwide Application Security Project (OWASP), a nonprofit community, and updated periodically rather than annually.
- Is the OWASP Top 10 the same as the CWE Top 25?
- No. The OWASP Top 10 lists web application risk categories, while the CWE Top 25 is a data-driven ranking of weakness types across all software. OWASP categories map to underlying CWEs.
- What is the most current edition?
- The 2021 edition is the most widely referenced release, led by A01 Broken Access Control. OWASP updates the list periodically as application risks evolve.
- Are the entries individual vulnerabilities?
- No. Each entry is a risk category that groups multiple related CWE weaknesses, not a single CVE or bug.
