What's New in 2025
Three categories tightened, one expanded, and one was renamed for clarity. The big shift: SSRF moved into a dedicated category instead of being lumped under broken access control.
What to Fix First
Pareto applies. Of the 10, three categories drive ~70% of real-world breaches: broken access control, injection, and vulnerable components. Start there.