Historical Authority Record

Hall of Fame: Annual Leaderboard

A definitive ranking of history's most critical and routinely exploited vulnerabilities. Sourced from the CISA KEV catalog and ranked by technical severity.

Impact-First Ranking

Prioritizes vulnerabilities formally documented as 'Ransomware Used' in the CISA KEV catalog. Rankings are calculated based on their proven impact on the global threat landscape.

Green Rank

[CVE-2026-20131]Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data Vulnerability

Critical
CVSS 10
Ransomware Used

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root. Note: If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.

Affected Infrastructure:Secure firewall management center
#2Orange Rank

[CVE-2026-35273]Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability

Critical
CVSS 9.8
Ransomware Used

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Affected Infrastructure:Peoplesoft enterprise peopletools
#3Purple Rank

[CVE-2026-48027]Nx Console Embedded Malicious Code Vulnerability

Critical
CVSS 9.8
Ransomware Used

Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the compromised version was available from 12:33 UTC to 13:09 UTC (~36 minutes). Version 18.100.0 of Nx Console is not compromised and users may remediate by upgrading to that version.

Affected Infrastructure:Nx console
#4Rank #4

[CVE-2026-48282]Adobe ColdFusion Path Traversal Vulnerability

Critical
CVSS 10

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Affected Infrastructure:Coldfusion
#5Rank #5

[CVE-2026-48558]SimpleHelp Authentication Bypass Vulnerability

Critical
CVSS 10

SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication. No user interaction is required.

Affected Infrastructure:Simplehelp
#6Rank #6

[CVE-2026-10520]Ivanti Sentry OS Command Injection Vulnerability

Critical
CVSS 10

An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution

Affected Infrastructure:Standalone sentry
#7Rank #7

[CVE-2026-34910]Ubiquiti UniFi OS Improper Input Validation Vulnerability

Critical
CVSS 10

A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.

Affected Infrastructure:Unifi os server
#8Rank #8

[CVE-2026-34909]Ubiquiti UniFi OS Path Traversal Vulnerability

Critical
CVSS 10

A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account.

Affected Infrastructure:Unifi os server
#9Rank #9

[CVE-2026-34908]Ubiquiti UniFi OS Improper Access Control Vulnerability

Critical
CVSS 10

A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.

Affected Infrastructure:Unifi os server
#10Rank #10

[CVE-2026-20182]Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability

Critical
CVSS 10

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks.  A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.

Affected Infrastructure:Catalyst sd-wan manager
#11Rank #11

[CVE-2026-20127]Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability

Critical
CVSS 10

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric. 

Affected Infrastructure:Catalyst sd-wan manager
#12Rank #12

[CVE-2026-22769]Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability

Critical
CVSS 10

Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence. Dell recommends that customers upgrade or apply one of the remediations as soon as possible.

Affected Infrastructure:Recoverpoint for virtual machines
#13Rank #13

[CVE-2026-56290]Joomlack Page Builder Improper Access Control Vulnerability

Critical
CVSS 9.8

The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.

Affected Infrastructure:Page builder ck
#14Rank #14

[CVE-2026-48908]JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability

Critical
CVSS 9.8

A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.

Affected Infrastructure:Sp page builder
#15Rank #15

[CVE-2026-12569]PTC Windchill and FlexPLM Improper Input Validation Vulnerability

Critical
CVSS 9.8

A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.  * This advisory also applies to all CPS versions * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030

Affected Infrastructure:Flexplm
#16Rank #16

[CVE-2026-20253]Splunk Enterprise Missing Authentication for Critical Function Vulnerability

Critical
CVSS 9.8

In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.

Affected Infrastructure:Splunk
#17Rank #17

[CVE-2026-48907]Widget Factory Joomla Content Editor Improper Access Control Vulnerability

Critical
CVSS 9.8

A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.

Affected Infrastructure:Jce
#18Rank #18

[CVE-2026-45247]Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability

Critical
CVSS 9.8

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.

Affected Infrastructure:Full page cache warmer
#19Rank #19

[CVE-2026-48172]LiteSpeed cPanel Plugin Privilege Escalation Vulnerability

Critical
CVSS 9.8

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.

Affected Infrastructure:Litespeed cpanel plugin
#20Rank #20

[CVE-2026-9082]Drupal Core SQL Injection Vulnerability

Critical
CVSS 9.8

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

Affected Infrastructure:Drupal