I recently found a pretty simple one on https://accounts.google.com/, which is arguably Google's most valued domain. I believe XSS is the most common vulnerability these days. One doesn't even have to be able to inject javascript per se. Only a CSS style is enough in many cases.