I'm surprised XXE doesn't make your list given how basically every huge internet company has had at least one (if not multiple) instances of these vulnerabilities and most of the time it ends up at arbitrary code execution.