After running thousands of scans on Hostile Review, we've noticed some clear patterns in the most common vulnerabilities that keep showing up across codebases. Here are the top 5: 1. Injection flaws -- SQL injection is still alive and well, especially in legacy code and ORMs used incorrectly. 2. Broken authentication -- Weak session handling, missing rate limits on login endpoints, predictable tokens. 3. Sensitive data exposure -- API keys in client-side code, secrets committed to repos, unencrypted PII in logs. 4. Security misconfiguration -- Default credentials, overly permissive CORS, debug mode left on in production. 5. XSS (Cross-Site Scripting) -- Reflected and stored XSS remain shockingly common, especially in user-generated content areas. What are you seeing in your own projects? Any patterns that surprise you?