Here is what BugCrowd is seeing as trends in application defects for the month of January 2021. No real surprises except for number 9 Open Redirects. Validating URLs is hard...

1 – SENSITIVE DATA EXPOSURE
2 – CROSS-SITE SCRIPTING
3 – SUBDOMAIN TAKEOVER
4 – BROKEN ACCESS CONTROL
5 – PRIVILEGE ESCALATION
6 – SENSITIVE INFORMATION PASSED TO HTTP BY DEFAULT
7 – AUTHENTICATION BYPASS
8 – CROSS-SITE REQUEST FORGERY (CSRF)
9 – OPEN REDIRECT
10 – REMOTE CODE EXECUTION