Look who's back! After we completed 2024, XSS managed to get itself ranked as the #1 top threat of the year. I wrote about that, and at the end of the blog post I said "Let's make sure that XSS isn't #1 in 2025!"... Well, I have some bad news...
Looking at the data
I wrote a whole bunch in that previous blog post about what the CVE program is and what CWE means, so if you want the background, you should definitely head there and read that post first. Here, I want to take a look at the data and see how things are going. Looking at the list of the Top 25 threat in 2025, and then downloading all of the raw data, we can produce some details on the top threats.
| CWE ID | Vulnerabilities Caused |
|---|---|
| CWE-79 | 7,303 |
| CWE-89 | 3,758 |
| CWE-862 | 2,190 |
| CWE-352 | 1,682 |
| CWE-22 | 967 |
| CWE-121 | 827 |
| CWE-284 | 796 |
| CWE-78 | 748 |
| CWE-434 | 744 |
| CWE-120 | 732 |
| CWE-200 | 703 |
| CWE-125 | 653 |
| CWE-416 | 642 |
| CWE-502 | 619 |
| CWE-77 | 550 |
| CWE-20 | 516 |
| CWE-122 | 513 |
| CWE-787 | 500 |
| CWE-918 | 483 |
| CWE-476 | 478 |
| CWE-94 | 468 |
| CWE-863 | 409 |
| CWE-639 | 362 |
| CWE-306 | 356 |
| CWE-770 | 317 |
| Total | 43,473 |
Sadly, as we can see, we still have quite a lot of work to do on this front as XSS (CWE-79) continues to absolutely dominate the rankings! Not only was it the top threat, nothing else even came close.
Looking further back
Given that the entire archive of the Top 25 is available, I thought I'd take a look at how XSS performed over all the years we have data, back as far as 2010(!), and it's not filling me with confidence.
| Year | XSS Rank |
|---|---|
| 2026 | #1 (so far!) |
| 2025 | #1 |
| 2024 | #1 |
| 2023 | #2 |
| 2022 | #2 |
| 2021 | #2 |
| 2020 | #1 |
| 2019 | #2 |
| 2011 | #4 |
| 2010 | #1 |
As far back as the data goes, we have seen that XSS is consistently a top ranked threat, never having the left the Top 4!
Detecting and Mitigating XSS
Regular readers will know by now that Content Security Policy provides for an effective mechanism to protect against XSS. Our sole purpose at Report URI is to help organisations deploy a strong CSP to their website and to monitor for signs of trouble should they arise. We have a whole heap of resources to get you started, so head on over to start a free trial and reach out if you need any support getting going.
I have my fingers crossed that we might be able to do something to stop XSS becoming the #1 Top Threat of 2026, but given it already has twice the number of vulnerabilities than its closest competitor, we'd best get started on making some progress soon!