惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
CXSECURITY Database RSS Feed - CXSecurity.com
aimingoo的专栏
aimingoo的专栏
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
D
Docker
博客园 - 叶小钗
Recent Announcements
Recent Announcements
人人都是产品经理
人人都是产品经理
云风的 BLOG
云风的 BLOG
Vercel News
Vercel News
Hugging Face - Blog
Hugging Face - Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
美团技术团队
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
F
Fortinet All Blogs
博客园 - 三生石上(FineUI控件)
Microsoft Security Blog
Microsoft Security Blog
H
Heimdal Security Blog
有赞技术团队
有赞技术团队
The Cloudflare Blog
S
Secure Thoughts
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
T
The Blog of Author Tim Ferriss
M
MIT News - Artificial intelligence
Google DeepMind News
Google DeepMind News
Schneier on Security
Schneier on Security
N
News and Events Feed by Topic
小众软件
小众软件
C
Cybersecurity and Infrastructure Security Agency CISA
Application and Cybersecurity Blog
Application and Cybersecurity Blog
博客园 - Franky
T
Tenable Blog
The Last Watchdog
The Last Watchdog
腾讯CDC
量子位
Google DeepMind News
Google DeepMind News
Help Net Security
Help Net Security
雷峰网
雷峰网
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Cyberwarzone
Cyberwarzone
S
Securelist
Martin Fowler
Martin Fowler
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
罗磊的独立博客
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
P
Proofpoint News Feed
D
Darknet – Hacking Tools, Hacker News & Cyber Security
I
InfoQ
Spread Privacy
Spread Privacy
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
H
Hackread – Cybersecurity News, Data Breaches, AI and More

Scott Helme

Connection Allowlist: a network firewall, built into the browser Top 1 Million Analysis – June 2026: The State of Crypto Top 1 Million Analysis – June 2026: Ten Years of Web Security A dead CDN, a wildcard, and an attack waiting to happen: the netdna-ssl.com takeover Why No Passkeys? Naming the Top Sites That Still Don't Support Them The Instructure Canvas Breach (2026): How XSS in a Support Ticket Compromised 275 Million Students Open-Sourcing dbsc-php: a Server Library for Device Bound Session Credentials in PHP DBSC Beta at Report URI Device Bound Session Credentials: Making Stolen Cookies Useless Passkeys, Permissions Policy and Bug Hunting in 1Password's WebAuthn Wrapper Open-Sourcing passkeys-php: A Security-Focused WebAuthn Library for PHP XSS Is Deadly for Passkeys: The Hidden Risk of Attestation None Passkeys 101: An Introduction to Passkeys and How They Work Anatomy of a WooCommerce Skimmer: A Technical Deep-Dive Under Attack: Responding to the Rise of Info-Stealer Threats Security considerations when using Passkeys on your website Fighting an active Magecart Campaign Amazing Refresh — A Malicious Chrome Extension Running Malware in the Browser Bringing in the experts; Having our Passkeys implementation Security Tested Launching Passkeys support on Report URI! 🗝️ When “One in a Billion” Happens Every Day: Scaling Redis at Report URI Leverage our treasure trove of Threat Intelligence data DNS-PERSIST-01; Handling Domain Control Validation in a short-lived certificate World
XSS Ranked #1 Top Threat of 2025 by MITRE and CISA
Scott Helme · 2026-03-10 · via Scott Helme

Look who's back! After we completed 2024, XSS managed to get itself ranked as the #1 top threat of the year. I wrote about that, and at the end of the blog post I said "Let's make sure that XSS isn't #1 in 2025!"... Well, I have some bad news...

Looking at the data

I wrote a whole bunch in that previous blog post about what the CVE program is and what CWE means, so if you want the background, you should definitely head there and read that post first. Here, I want to take a look at the data and see how things are going. Looking at the list of the Top 25 threat in 2025, and then downloading all of the raw data, we can produce some details on the top threats.

CWE ID Vulnerabilities Caused
CWE-79 7,303
CWE-89 3,758
CWE-862 2,190
CWE-352 1,682
CWE-22 967
CWE-121 827
CWE-284 796
CWE-78 748
CWE-434 744
CWE-120 732
CWE-200 703
CWE-125 653
CWE-416 642
CWE-502 619
CWE-77 550
CWE-20 516
CWE-122 513
CWE-787 500
CWE-918 483
CWE-476 478
CWE-94 468
CWE-863 409
CWE-639 362
CWE-306 356
CWE-770 317
Total 43,473

Sadly, as we can see, we still have quite a lot of work to do on this front as XSS (CWE-79) continues to absolutely dominate the rankings! Not only was it the top threat, nothing else even came close.

Looking further back

Given that the entire archive of the Top 25 is available, I thought I'd take a look at how XSS performed over all the years we have data, back as far as 2010(!), and it's not filling me with confidence.

Year XSS Rank
2026 #1 (so far!)
2025 #1
2024 #1
2023 #2
2022 #2
2021 #2
2020 #1
2019 #2
2011 #4
2010 #1

As far back as the data goes, we have seen that XSS is consistently a top ranked threat, never having the left the Top 4!

Detecting and Mitigating XSS

Regular readers will know by now that Content Security Policy provides for an effective mechanism to protect against XSS. Our sole purpose at Report URI is to help organisations deploy a strong CSP to their website and to monitor for signs of trouble should they arise. We have a whole heap of resources to get you started, so head on over to start a free trial and reach out if you need any support getting going.

I have my fingers crossed that we might be able to do something to stop XSS becoming the #1 Top Threat of 2026, but given it already has twice the number of vulnerabilities than its closest competitor, we'd best get started on making some progress soon!


Have you enjoyed this post or found it helpful?
☕️ Consider buying me a coffee to say thanks!
🔔 Subscribe for free notifications when I publish!
🤩 Become a member and support my content!

Tags: XSS, Report URI, CSP