Lots of vulnerabilities exist.
To understand the most frequent vulnerabilities, we can rely on OWASP Top Ten.
“The OWASP Top Ten is a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.”
Source: OWASP Top Ten
The last version of this top ten is:
A1 Injection
A2 Broken Authentication and Session Management (TO WRITE)
A3 Cross-Site Scripting (XSS) (TO WRITE)
A4 Insecure Direct Object References (TO WRITE)
A5 Security Misconfiguration (TO WRITE)
A6 Sensitive Data Exposure (TO WRITE)
A7 Missing Function Level Access Control (TO WRITE)
A8 Cross-Site Request Forgery (CSRF) (TO WRITE)
A9 Using Components with Known Vulnerabilities (TO WRITE)
A10 Unvalidated Redirects and Forwards (TO WRITE)
Buffer Overflow