The nonprofit released its 2017 version this week, after a four-year wait.
The project maintains a record of up to 10 years of security information, based on a survey of over 500 people working in the industry.
This year's top 10 included many similar concerns from 2013's list, with a merging of several concerns into one category and three new concerns.
Number 4 is new to this year's list, marking poorly configured XML processors as a concern. New to this year's list are Number 8, insecure deserialization, which can lead to remote code execution or privilege escalation attacks, and Number 10, insufficient logging and monitoring, which allows for persistent attacks and is often coupled with ineffective incident response.
Security misconfiguration moved down the list from fifth to sixth, and using components with known vulnerabilities stayed ninth. Cross-site scripting found itself in the seventh spot for using untested information in a site page without validation.
