Skip to content
Business Efficiency

43.7% of All Attacks Enter Through Web Applications. The Front Door Is the Web Server.

Kaspersky's Q1 2026 vulnerability landscape report confirms what WebPulse's data has been showing: public-facing web applications are the primary attack vector for 43.7% of incidents. Not email. Not phishing. The web application itself.

· 5 min read
Share on X LinkedIn
43.7% of All Attacks Enter Through Web Applications. The Front Door Is the Web Server.

The Primary Attack Vector

Kaspersky's Q1 2026 vulnerability landscape report, published on Securelist, delivers a finding that should reframe every enterprise security conversation: public-facing web applications account for 43.7% of initial attack vectors — the single largest category. Not email phishing (which dominated the 2010s). Not credential stuffing. Not social engineering. The web application that your organization exposes to the internet is, statistically, the most likely entry point for the next attack.

The second-largest vector is trusted relationships at 15.5%, up from 12.7% in 2025 — supply chain attacks where compromised vendors provide the entry point. Together, web applications and trusted relationships account for nearly 60% of all initial attack vectors. The web stack — the framework, the server, the API endpoints — is no longer just a technology choice. It is the primary security surface of the organization.

43.7%
Web applications as attack vector
Largest single category for initial compromise. Source: Kaspersky/Securelist, Q1 2026.
15.5%
Trusted relationships
Up from 12.7% in 2025. Supply chain attacks growing. Source: Kaspersky, Q1 2026.
~59%
Combined web + supply chain
Nearly 6 in 10 attacks start through web infrastructure or its supply chain. Source: Kaspersky, Q1 2026.

What 43.7% Means for Framework Selection

If the web application is the front door for 43.7% of attacks, then the framework that builds that web application is the front door's lock. WordPress, with 18,247 cumulative CVEs and a security score of 38 in WebPulse's June 2026 rankings, is a lock with 18,247 known ways to pick it. Hugo, with zero CVEs and a security score of 100, has no lock to pick because there is no door — static HTML files served from a CDN have no application-layer attack surface.

The gap matters more than ever. WebPulse's WARC scan detected 7.4 million WordPress sites — each one a public-facing web application with full server-side processing, database access, file upload handling, and authentication systems. Each one falls into Kaspersky's 43.7% attack surface. The 16,743 Hugo sites in the same scan serve static files from CDNs — they are not 'web applications' in the security sense at all.

The APT Dimension

Kaspersky's report notes that APT campaigns in Q1 2026 specifically targeted recently discovered vulnerabilities in web-facing applications, edge networking devices, and remote access systems. The attackers are not using exotic techniques. They are exploiting the same categories of vulnerabilities that WebPulse tracks: SQL injection, authentication bypass, file upload exploits, and deserialization flaws. The difference between a penetration test and an APT campaign is persistence and intent, not technique.

This week alone, three web application vulnerabilities made headlines: Ghost CMS's CVSS 9.4 SQL injection (700+ sites compromised), Craft CMS's token-based privilege escalation (editor to admin in one URL parameter), and IBM WebSphere's triple CVE (authentication bypass + two RCEs). All three are public-facing web application attacks. All three fall into Kaspersky's 43.7%.

The Budget Implication

Enterprise security budgets are typically allocated to email security (phishing prevention), endpoint protection (EDR/XDR), network security (firewalls/IDS), and identity management (SSO/MFA). Web application security — WAFs, framework selection, dependency scanning, static analysis — often receives a fraction of the budget. Kaspersky's data says that 43.7% of attacks enter through the component that receives the smallest budget allocation. The mismatch between threat surface and security investment is the strategic vulnerability.

38 / 100
WordPress security score
Lowest of any major framework. Source: WebPulse Rankings, June 2026.
100 / 100
Hugo security score
Zero CVEs, zero attack surface. Source: WebPulse Rankings, June 2026.
Share this insight