OWASP TOP 10 / A06:2021

Vulnerable and Outdated Components

Using libraries, frameworks, or software with known vulnerabilities or that are no longer maintained.

Modern apps are mostly third-party code, so a single vulnerable dependency can compromise the whole application. Log4Shell showed how one library flaw can affect millions of systems.

You can’t patch what you don’t know you have — maintain an inventory (SBOM) and track advisories continuously.

How to prevent it

Maintain an SBOM, remove unused dependencies, monitor for CVEs, and patch promptly using the KEV catalog to prioritize.

Mapped weaknesses (CWE)

CWE-1104 CWE-937

Free tools to test for it

CVE Lookup → CISA KEV →

Part of the OWASP Top 10 reference. See also the CWE weaknesses and Web Security hub.

Vulnerable and Outdated Components

Mapped weaknesses (CWE)

Free tools to test for it

Related terms