Top 10 (2021)

1. Broken access control
2. Cyptographic failures
3. Injection
4. Insecure design [new]
5. Security misconfiguration
6. Vulnerable and outdated components
7. Identification and authentication failures
8. Software and data integrity failures [new]
9. Security logging and monitoring failures
10. Server side request forgery (SSRF) [new]

Top 10 (2017)

1. Injection
2. Broken authentication
3. Sensitive data exposure
4. XML external entities (XXE) [new]
5. Broken access control [merged 4, 5, 6]
6. Security misconfiguraiton
7. Cross site scripting (XSS)
8. Insecure deserialization [new, community]
9. Using components with known vulnerabilities
10. Insufficient logging and monitoring [new, community]

Top 10 (2013)

1. Injection
2. Broken authentication and session management
3. Cross site scripting (XSS)
4. Insecure direct object reference
5. Security misconfiguration
6. Sensitive data exposure
7. Missing functional level access control
8. Cross site request forgery (CSRF)
9. Using components with known vulnerabilities
10. Unvalidated redirects and Forwards

For more details, go to OWASP Top10 Github Project

Link back to other resources