From wikipedia
Memory safety violations, such as:
Buffer overflows
Dangling pointers
Input validation errors, such as:
Format string bugs
Improperly handling shell metacharacters so they are interpreted
SQL injection
Code injection
E-mail injection
Directory traversal
Cross-site scripting in web applications
HTTP header injection
HTTP response splitting
Time-of-check-to-time-of-use bugs
Symlink races
Privilege-confusion bugs, such as:
Cross-site request forgery in web applications
Clickjacking
FTP bounce attack
Privilege escalation
User interface failures, such as:
Warning fatigue [2] or user conditioning [3]
Blaming the Victim Prompting a user to make a security decision without giving the user enough information to answer it [4]
Race Conditions [5]