The OWASP Top Ten for 2025 highlights the most critical web application security risks, with significant updates from previous years. Broken Access Control remains the top concern, affecting 3.73% of applications tested. Security Misconfiguration has risen to second place, now impacting 3% of apps, reflecting the growing complexity in software configurations. New to the list is Software Supply Chain Failures, which expands on previous categories to cover broader vulnerabilities in software dependencies, despite having limited data so far. Cryptographic Failures and Injection have dropped in rank, now sitting at fourth and fifth, respectively. Cryptographic Failures affect 3.80% of applications, while Injection remains a persistent issue across various vulnerabilities. Insecure Design and Authentication Failures have also shifted down in the rankings, although the latter benefits from standardized frameworks that seem to reduce incidents. The new category for 2025, Mishandling of Exceptional Conditions, addresses errors stemming from improper handling of unexpected situations, which can lead to significant security issues. The methodology for this installment reflects a commitment to data-informed decision-making while also factoring in community insights. The analysis included a broader range of Common Weakness Enumerations (CWE), now totaling 589, up from around 400 in 2021. The focus is on root causes rather than just the symptoms of vulnerabilities, aiming to provide clearer guidance for remediation. Each category has an average of about 25 CWEs, indicating a more comprehensive approach to identifying and addressing security risks in web applications.