Which Languages Have the Worst Security Bugs? Veracode’s Latest Report

Veracode’s State of Software Security Volume 11 analyzes security flaws in applications written with .NET, C++, Java, JavaScript, PHP, and Python, based on scans of 130,000 apps.

Key findings include:

JavaScript applications have a 31.5% incidence of cross‑site scripting (XSS) flaws; PHP apps are even worse, with 74.6% containing XSS issues and 71% suffering encryption problems.

.NET applications are most affected by information leakage (62.8% of apps), while C++ apps show the highest rate of error‑handling bugs (66.5%).

Java applications primarily suffer from CRLF injection (64.4% of surveyed apps).

Python apps face serious encryption‑related vulnerabilities in 35% of cases.

Severity varies: 59% of C++ apps contain critical flaws, compared with 52% for PHP, while only 9.6% of JavaScript apps have critical issues.

Veracode’s chief researcher Chris Eng explains that the differing trends stem from language popularity, default security settings, and the prevalence of unsafe primitives—especially in PHP, where many insecure patterns are built‑in.

Even though JavaScript benefits from safer defaults, its massive npm ecosystem introduces risk: the average JavaScript app depends on about 400 third‑party packages, with the top 10% using up to 1,000–2,000 dependencies. Vulnerabilities in any of these packages propagate to the consuming applications.

Eng advises development and product teams to keep dependencies up‑to‑date, track technical and security debt over time, and apply patches promptly, especially when major version upgrades are required.

Overall, the industry has not eliminated any major vulnerability class in the past decade; the data simply reflect shifts in language usage and ecosystem size.