Injection (SQL/NoSQL/command), broken auth, sensitive data exposure, XSS (if serving HTML), rate limiting / DoS, dependency vulnerabilities, unsafe eval/child_process with user input, path traversal on file APIs, JWT misuse (alg:none, weak secrets).
Having a tech or coding interview? Check 29 JavaScript & Node.js interview questions.
Source: OWASP