Since the beginning of 2022, the Wallarm security research team has been analyzing API vulnerabilities and exploits, and releasing quarterly reports. The Q1 report got a lot of attention and positive feedback from the cybersecurity community, as well as a few valuable ideas and suggestions.

We included many of these in the Q2 API Vulnerabilities and Exploits report, which will be discussed in our upcoming webinar on August 8th.

Register now to reserve your seat!

API Vulnerabilities Report

While you’re waiting for the webinar and full report, we will shed light on some of the more interesting findings in this blog post.

We started this effort to validate Gartner’s predictions for API security: “by 2022, API abuses will move from an infrequent to the most frequent attack vector, resulting in data breaches for enterprise web applications." [1]

Now that we're midway through the year, the question is -- is this being proven true by the facts on the ground? Is the threat real?

The Wallarm security research team continually reviews and analyzes new API vulnerabilities and exploits in real-time to align our API security products with modern API cyberthreats. As a part of this exploits monitoring job, we dissect the data to look for trends and insights from a variety of perspectives, including software type, vendor, CVSS scores, CWEs and both OWASP Top-10 (2021) for web apps and OWASP API Security Top-10 (2019). We also drill deeply into publicly disclosed exploits and PoCs to extract payloads and validate if any threats have moved from a theoretical to an actual risk.

Key Findings

Some of the highlights which will be in the final Q2 API Vulnerability report include:

  • Injections (OWASP A03 / API8) are now the highest risk for APIs, ahead of BOLA by all metrics (number of discovered issues, exploitability and severity).
  • API threats grew 3.7x QoQ and already hit the 2 new exploits a day threshold, and the number of Critical and High risk API vulnerabilities have increased dramatically – all of which suggests that extra vigilance is needed.
  • 33% of the reported API vulnerabilities are almost immediately exploited, with PoCs published within a median of 2-½ weeks.
  • Top cybersecurity, enterprise and DevOps products were affected by API security issues, including the following top-5 most impactful:
Vendor CVE CVSS Score
1 F5 Networks CVE-2022-1388 9.8
2 WSO2 CVE-2022-29464 9.8
3 VMware CVE-2022-22980 9.8
4 Gitlab CVE-2022-1783 2.7
5 Argo Project CVE-2022-29165 10



For more highlights from the final report, take a look at our Q2-2022 API Vulnerability & Exploit infographic. We think you'll find it enlightening, and believe it will help you improve your API vulnerability management and security posture.

Deep-Dive Webinar

To learn more, we invite you to attend our upcoming webinar on Thursday, August 8th. In this live interactive event, Ivan Novikov, CEO & co-founder of Wallarm and noted security researcher, will take a deep-dive into the latest API vulnerability and exploit data, and discuss the implications to your organizational risk and your cyberdefenses.

Register for the Live Event


Date: Monday, Aug 8, 2022

Time: 11:00am PT / 2:00pm ET

Title: Q2 API Vulnerability Report: Are APIs Really A Threat?

Speaker: Ivan Novikov, CEO & co-founder of Wallarm


Our API Security experts will be on hand to answer all your questions – and all registered attendees will receive an advance copy of the final report after the event. We look forward to seeing you there!


In Closing

Expanding your vulnerability management program to cover APIs will require visibility across your entire API portfolio, assessing and triaging API vulnerabilities as they arise, and ensuring mitigations are implemented. We believe this effort validates the initial prediction – yes, Gartner was right: API threats are growing and even faster than expected. Using Wallarm API security solution is the best way to discover your API attack surface and protect your API portfolio from increasing threats.


[1] Gartner, Magic Quadrant for Application Security Testing (ID G00733839)