A1 Injection

A2 Broken Authentication and Session Management (was formerly A3)

A3 Cross-Site Scripting (XSS) (was formerly A2)

A4 Insecure Direct Object References

A5 Security Misconfiguration (was formerly A6)

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection)

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access)

A8 Cross-Site Request Forgery (CSRF) (was formerly A5)

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration)

A10 Unvalidated Redirects and Forwards