Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19044

19044 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-7652 LatePoint <= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-640 5.3 Medium2026-05-09
CVE-2026-6664 PgBouncer integer overflow in PgBouncer network packet parsing — PgBouncerCWE-190 7.5 High2026-05-09
CVE-2026-42351 pygeoapi: Path Traversal in STAC FileSystemProvider — pygeoapiCWE-22 7.5 High2026-05-08
CVE-2026-42298 Postiz: Arbitrary Code Execution and Token Exfiltration in pr-docker-build.yml via untrusted Dockerfile.dev — postiz-appCWE-94 10.0 Critical2026-05-08
CVE-2026-41432 New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud — new-apiCWE-345 7.1 High2026-05-08
CVE-2026-44286 FastGPT: SSRF Vulnerability in Laf Workflow Node via Missing Internal Address Validation — FastGPTCWE-918--2026-05-08
CVE-2026-42302 FastGPT: Unauthenticated Remote Code Execution (RCE) via code-server Misconfiguration in agent-sandbox — FastGPTCWE-306 9.8 Critical2026-05-08
CVE-2026-42193 Plunk: SNS webhook forgery — plunkCWE-347 9.1 Critical2026-05-08
CVE-2026-42282 n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode — n8n-mcpCWE-532 4.3 Medium2026-05-08
CVE-2026-41495 n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests — n8n-mcpCWE-532 5.3 Medium2026-05-08
CVE-2026-42030 MapServer: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in OpenLayers viewer — MapServerCWE-80 6.1 Medium2026-05-08
CVE-2026-42028 novaGallery: Unauthenticated Path Traversal in Album and Cached Image Routes Allows Reading Images Outside Gallery Root — novagalleryCWE-22 5.3 Medium2026-05-08
CVE-2026-42793 Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe — absintheCWE-770--2026-05-08
CVE-2026-43967 Quadratic fragment-name uniqueness check causes denial of service in absinthe — absintheCWE-407--2026-05-08
CVE-2026-41690 Prototype pollution and path traversal in i18next-http-middleware via user-controlled language and namespace parameters — i18next-http-middlewareCWE-22 8.6 High2026-05-08
CVE-2026-44499 ZEBRA: Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning — zebraCWE-770--2026-05-08
CVE-2026-44500 ZEBRA: Allocation Amplification in Inbound Network Deserializers — zebraCWE-770 5.3 Medium2026-05-08
CVE-2026-41308 Password Pusher: JSON API `/p.json` file upload alias bypasses file-push authentication — PasswordPusherCWE-288 6.5 Medium2026-05-08
CVE-2026-44126 Insecure deserialization — Secure Email GatewayCWE-502--2026-05-08
CVE-2026-44125 Missing Authorization in GINAv2 — Secure Email GatewayCWE-862--2026-05-08
CVE-2026-44128 Unauthenticated Remote Code Execution — Secure Email GatewayCWE-95--2026-05-08
CVE-2026-44127 Local File Inclusion (LFI) and Arbitrary File Deletion — Secure Email GatewayCWE-73--2026-05-08
CVE-2026-7864 Exposure of Sensitive Information to an Unauthorized Actor — Secure Email GatewayCWE-497--2026-05-08
CVE-2026-43287 drm: Account property blob allocations to memcg — Linux--2026-05-08
CVE-2026-41161 Username Enumeration via Timing Attack — serverCWE-208--2026-05-08
CVE-2022-50994 DrayTek Vigor 2960 < 1.5.1.4 OS Command Injection via mainfunction.cgi — Vigor 2960CWE-78 8.1 High2026-05-08
CVE-2026-8153 Command injection in Dashboard Server interface — PolyScope 5CWE-78 9.8 Critical2026-05-08
CVE-2026-6213 Remote Spark SparkView RCE — SparkViewCWE-807--2026-05-08
CVE-2026-7330 Auto Affiliate Links <= 6.8.8 - Unauthenticated Stored Cross-Site Scripting via 'url' Parameter — Auto Affiliate LinksCWE-79 7.2 High2026-05-08
CVE-2026-4935 SureTriggers < 1.1.23 – Unauthenticated SQLi — OttoKit: All-in-One Automation Platform--2026-05-08

Vulnerabilities classified as access:pre-auth represent 19044 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.