It's not an exploit per se, more of a security issue but I often find secrets that are accidentally public. By secrets I mean API keys, AWS access keys and stuff like that. Put into "wrong" hands (depending on the privileges the key has) it can lead to disastrous results. I've done so multiple times especially when it comes to something I've found on one of our clients websites.

Another one which isn't much of an exploit but more of a widespread bad practice is phishing resilience. A LOT of companies don't take phishing exercises seriously despite most of the recent cyber attacks using them as an entry point into a company's systems.