The security of state universities' and colleges' websites in the Philippines is vital because they play a critical role in delivering education and information to a wide variety of users. However, these institutions are also exposed to several security flaws due to their growing reliance on digital platforms. The objective of this study is to analyze security vulnerabilities in state universities and colleges websites, utilizing the OWASP Zed Attack Proxy (ZAP), an open-source tool. By adhering to the Open Web Application Security Project (OWASP) Top 10, we can identify potential hazards and suggest appropriate measures to mitigate risks. The steps of the test include gathering data about the test target, using OWASP ZAP to do automatic scanning, exploitation of the scan results, reporting, and offering recommendations. Seventeen (17) SUCs were examined, and the results show that 23.53% are vulnerable to injection, 40.06% had insecure design, 70.59% had outdated components, 88.24% have security misconfiguration, and 94.12% are vulnerable to Broken Access Control. Malicious actors use these vulnerabilities to obtain unauthorized access to software, networks, and systems. By raising the privileges and granting the user ID additional access inside the ecosystem, it can harm the availability, confidentiality, or integrity of data. SUCs should embrace the OWASP Top 10 and begin the process of ensuring that the risks associated with their websites are minimized.