The Primary Attack Vector
Kaspersky's Q1 2026 vulnerability landscape report, published on Securelist, delivers a finding that should reframe every enterprise security conversation: public-facing web applications account for 43.7% of initial attack vectors — the single largest category. Not email phishing (which dominated the 2010s). Not credential stuffing. Not social engineering. The web application that your organization exposes to the internet is, statistically, the most likely entry point for the next attack.
The second-largest vector is trusted relationships at 15.5%, up from 12.7% in 2025 — supply chain attacks where compromised vendors provide the entry point. Together, web applications and trusted relationships account for nearly 60% of all initial attack vectors. The web stack — the framework, the server, the API endpoints — is no longer just a technology choice. It is the primary security surface of the organization.
What 43.7% Means for Framework Selection
If the web application is the front door for 43.7% of attacks, then the framework that builds that web application is the front door's lock. WordPress, with 18,247 cumulative CVEs and a security score of 38 in WebPulse's June 2026 rankings, is a lock with 18,247 known ways to pick it. Hugo, with zero CVEs and a security score of 100, has no lock to pick because there is no door — static HTML files served from a CDN have no application-layer attack surface.
The gap matters more than ever. WebPulse's WARC scan detected 7.4 million WordPress sites — each one a public-facing web application with full server-side processing, database access, file upload handling, and authentication systems. Each one falls into Kaspersky's 43.7% attack surface. The 16,743 Hugo sites in the same scan serve static files from CDNs — they are not 'web applications' in the security sense at all.
The APT Dimension
Kaspersky's report notes that APT campaigns in Q1 2026 specifically targeted recently discovered vulnerabilities in web-facing applications, edge networking devices, and remote access systems. The attackers are not using exotic techniques. They are exploiting the same categories of vulnerabilities that WebPulse tracks: SQL injection, authentication bypass, file upload exploits, and deserialization flaws. The difference between a penetration test and an APT campaign is persistence and intent, not technique.
This week alone, three web application vulnerabilities made headlines: Ghost CMS's CVSS 9.4 SQL injection (700+ sites compromised), Craft CMS's token-based privilege escalation (editor to admin in one URL parameter), and IBM WebSphere's triple CVE (authentication bypass + two RCEs). All three are public-facing web application attacks. All three fall into Kaspersky's 43.7%.
The Budget Implication
Enterprise security budgets are typically allocated to email security (phishing prevention), endpoint protection (EDR/XDR), network security (firewalls/IDS), and identity management (SSO/MFA). Web application security — WAFs, framework selection, dependency scanning, static analysis — often receives a fraction of the budget. Kaspersky's data says that 43.7% of attacks enter through the component that receives the smallest budget allocation. The mismatch between threat surface and security investment is the strategic vulnerability.


