The OWASP (Open Web Application Security Project) foundation categorizes and describes threats and defense methods only once every few years. The following is based on the 2021 update - still valid in 2024.
Access via:
Encryption vulnerabilities. Missing or old/weak alghoritms (e.g. MD5, SHA1).
Sending crafted data via input, URL or API - e.g. SQL, OS shell commands.
Input validation and sanitization, e.g. by escaping characters. Also on the server side before accessing to database.
Lack of thought about security throughout the entire application development process.
Incorrect configuration or use of default settings/passwords.
Libraries, OS, cloud, Database.
Incorrect authentication or session management.
Malicious library code or unauthorized dev access.
No logs or monitoring of suspicious user activity.
Lack of verification of the correctness of the URL provided by the user when downloading the resource, e.g. from the server. You can access the network or file system.