In web application development stage, most of the developers usually make use of components such as libraries, frameworks, web servers, application servers [These components are software that help developers avoid redundant work and provide needed functionality with adopted best practices] to implement a certain functionality without initial verification of their legitimacy with updated versions[Most of the bugs fixed..] of those components.

The percentage of vulnerability exploitation in those components depends on what and where vulnerability is. For example, if vulnerability exists in a public-facing web server that’s more exploitable than a vulnerability in a less visible component or library.

Attackers usually search for security flaws in these components and because developers reuse them across websites, if a weakness is found and exploited then it could potentially leave hundreds of web application pages vulnerable.

Component developers team usually release security patches and updates to cover up known vulnerabilities, but web application developers don’t always update there application / software with patched or most-recent versions of components.