Security Research · Q1 2026

Web Application
Security Report 2026

Aggregate findings from 47,291 vulnerabilities across 3,847 scanned applications. All data is anonymised and validated through real exploitation — no theoretical findings.

Data as of Q1 2026 · Updated quarterly · n=47,291 confirmed findings

47,291
Total vulnerabilities found
across all scans
3,847
Applications tested
unique target origins
63%
Had critical or high findings
of all apps scanned
4.2 min
Median time to first critical
from scan launch
Key Findings

What the data shows

42%

of all scanned applications had at least one broken access control vulnerability — the most prevalent finding category for the third consecutive quarter.

3.4×

more vulnerabilities discovered in authenticated scans compared to unauthenticated scans of the same application. Most IDOR and business logic flaws are invisible without authenticated context.

78%

of critical findings were directly exploitable with no prerequisite access — meaning an unauthenticated attacker could immediately compromise user data or application integrity.

91%

of SQL injection vulnerabilities were found in applications that passed automated static analysis (SAST). Dynamic testing catches what source-code scanning misses.

22 days

median time between a vulnerability being introduced in code and being discovered when tested only at deployment. Continuous testing in CI/CD reduces this window to minutes.

$4.88M

average cost of a data breach (IBM 2024). Of breaches analysed, 67% involved a vulnerability class that Penetrify scans for — broken access control, injection, or authentication flaws.

OWASP Distribution

Vulnerability types

Broken access control remains the dominant vulnerability class — a pattern consistent with OWASP's rankings. IDOR, missing authorisation checks, and path traversal account for the bulk of findings in this category.

n = 47,291 confirmed findings · Q1 2026
A01Broken Access Control
16,17334.2%
A03Injection (SQLi, XSS, SSTI)
10,26221.7%
A05Security Misconfiguration
8,65418.3%
A07Broken Authentication
5,86412.4%
A02Sensitive Data Exposure
3,6897.8%
A06Vulnerable Components
1,6083.4%
Other
1,0412.2%
Severity Breakdown

How serious are the findings?

Critical18%
High31%
Medium34%
Low / Info17%

49% of findings are critical or high severity — directly exploitable with immediate business impact. Medium findings represent configuration gaps that become exploitable when chained.

By Industry

Applications by vertical

SaaS / B2B Apps38%
Fintech22%
E-commerce19%
Healthcare13%
Other8%

Fintech applications had the highest critical-finding rate (71% had at least one), followed by healthcare (68%). E-commerce led for injection vulnerabilities, particularly payment-flow input handling.

Scan Volume

Monthly vulnerability discoveries

Monthly scan volume has grown 143% from October 2025 to March 2026 as teams integrate Penetrify into CI/CD pipelines and test more frequently.

2 841
Oct 25
3 204
Nov 25
3 112
Dec 25
4 387
Jan 26
5 631
Feb 26
6 918
Mar 26
Spotlight Finding

Authenticated scans find
3.4× more vulnerabilities

When we compared scans of the same applications with and without authenticated sessions, authenticated scans discovered 3.4× more vulnerabilities on average. Nearly all IDOR, privilege escalation, and broken business logic findings are invisible without an active session.

4.1
avg findings/app
unauthenticated
vs
14.0
avg findings/app
authenticated
Methodology

How this data was collected

How was this data collected?
All statistics are derived from anonymised, aggregated results of security scans run through the Penetrify platform. No personally identifiable information, application source code, or identifying details about tested organisations are included. Findings are counted at the vulnerability instance level — a single application with five SQL injection vulnerabilities counts as five injection findings.
What types of applications were scanned?
The dataset covers web applications and APIs submitted to Penetrify for scanning. The majority are SaaS products, internal business applications, and customer-facing web portals. Mobile application backends and infrastructure endpoints are included when tested as part of an API scan. Targets were provided and authorised by the application owners.
How are vulnerability types classified?
Findings are mapped to OWASP Top 10 2021 categories where applicable. Each finding is independently validated by the Penetrify AI agent through exploitation — we do not count theoretical or unconfirmed findings. The "Broken Access Control" category (OWASP A01) covers IDOR, privilege escalation, path traversal, and missing function-level access control.
Why does authenticated scanning find 3.4× more vulnerabilities?
Unauthenticated scans can only test the pre-login attack surface: login pages, public APIs, registration flows, and publicly accessible endpoints. Authenticated scans expose the full application — user dashboards, admin panels, API endpoints that require a valid session, and all business logic that sits behind authentication. IDOR vulnerabilities, broken object-level authorisation, and privilege escalation flaws are structurally invisible without authenticated context.
How often is this report updated?
The dataset is updated quarterly. The figures on this page reflect scans completed through Q1 2026. Each quarterly update includes new finding counts, any shifts in vulnerability category distribution, and new findings from the growing scan volume.

Find out what's in your application

63% of applications have a critical or high-severity finding waiting to be discovered. Run your first scan in minutes.