Common Bugs from Low to Critical Level

Clickjacking
Auto complete enabled
Concurrent logins
Rememebr me feature flaw
Robots.txt & robots.txt with logs
No account lockout
Weak password policy
Insecure password storage
Missing 2FA
Information disclosure through comments
Session ID not changed on sigin/signout
Weak session length
Weak session exipry
Weak session randomness
Session ID can be Preset
Version disclosure in headers & response
Cleartext Transmission of Sensitive Data
Insecure Direct Object References (IDOR)
Cache Poisoning
Race Condition
SSL Attack (BREACH, POODLE etc.)
Path Traversal
Captcha Bypass
Weak 2FA Implementation[Old 2FA Code is Not Invalidated After New Code is Generated]
Weak 2FA Implementation[2FA Code is Not Updated After New Code is Requested]
Weak Registration Implementation[Allows Disposable Email Addresses]
Weak Password Reset Implementation[Token is Not Invalidated After Email Change]
Weak Password Reset Implementation[Token is Not Invalidated After Password Change]
Weak Password Reset Implementation[Token Has Long Timed Expiry]
Weak Password Reset Implementation[Token is Not Invalidated After New Token is Requested]
Weak Password Reset Implementation[Token is Not Invalidated After Login]
Open Redirect [Flash-Based]
Open Redirect [Header-Based]
Open Redirect [POST-Based]
Open Redirect [GET-Based]
Sensitive Data Hardcoded [File Paths]
Sensitive Data Hardcoded [OAuth Secret]
Sensitive Token in URL On Password Reset
Sensitive Token in URL In the Background
Lack of Security Headers
Missing Secure or HTTPOnly Cookie Flag [Non-Session Cookie]
Unsafe File Upload File Extension [Filter Bypass]
Unsafe File Upload [No Size Limit]
Unsafe File Upload [No malware check on files]
No Rate Limiting on Forms [Lgin ,password reset,Delete Account,etc]
Unnecessary Data Collection [WiFi SSID+Password]
Executable Download [No Secure Integrity Check]
Sensitive Application Data Stored Unencrypted On External Storage
Server-Side Credentials Storage [Plaintext]
Sensitive Data Exposure Via localStorage/sessionStorage Sensitive Token
Sensitive Data Exposure [Weak Password Reset Implementation Password Reset Token Sent Over HTTP]
Sensitive Data Exposure [Sensitive Token in URL User Facing]
Sensitive Data Exposure [Token Leakage via Referer Over HTTP]
Sensitive Data Exposure [EXIF Geolocation Data Not Stripped From Uploaded Images]
Failure to Invalidate Session [On Password Reset and/or Change]
Failure to Invalidate Session [On Logout (Client and Server-Side)]
Cleartext Transmission of Session Token
Email HTML Injection
External Authentication Injection
Web Application Firewall (WAF) Bypass [Direct Server Access]
OAuth Misconfiguration [Account Squatting]
Mail Server Misconfiguration [ Missing or Misconfigured DMARC on Email Domian]
Misconfigured DNS [Zone Transfer]
Application-Level Denial-of-Service (DoS)
Second Factor Authentication (2FA) Bypass
Content Spoofing-iframe Injection
HTTP Response Manipulation [Response Splitting (CRLF)]
Misconfigured DNS [Basic Subdomain Takeover]
Hardcoded Password [Non-Privileged User]
Hardcoded Password [Privileged User]
Cross-Site Scripting (XSS) All types
Cross-Site Request Forgery (CSRF) All types
Broken Cryptography [Incorrect Usage]
Command Injection
XML External Entity Injection (XXE)
SQL Injection
Remote Code Execution (RCE)
Local File inclusion LFI
Remote file inclusion RFI