What vulnerabilities does Copilot commonly create?

The most frequent Copilot-introduced vulnerabilities include SQL injection through string concatenation instead of parameterized queries, cross-site scripting from unescaped user input in HTML output, insecure deserialization, hardcoded credentials, missing HTTPS enforcement, disabled certificate validation, weak random number generation for security tokens, path traversal in file operations, and race conditions in concurrent code. These mirror the OWASP Top 10 because Copilot learned from codebases that contain these exact flaws. UNPWNED scans for all of these vulnerability categories in your deployed application.