Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19263

19263 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-32624 xrdp: Heap buffer overflow in xrdp_sec_process_logon_info() via incorrect g_strncat length calculation — xrdpCWE-122 9.8AICriticalAI2026-04-17
CVE-2026-33516 xrdp: Pre-authentication out-of-bounds reads in RDP capability and channel parsers — xrdpCWE-125 9.1AICriticalAI2026-04-17
CVE-2026-40066 Anviz Products Download of Code Without Integrity Check — Anviz CX7 FirmwareCWE-494 8.8 High2026-04-17
CVE-2026-35546 Anviz Products Missing Authentication for Critical Function — Anviz CX7 FirmwareCWE-306 9.8 Critical2026-04-17
CVE-2026-40461 Anviz Products Missing Authentication for Critical Function — Anviz CX7 FirmwareCWE-306 7.5 High2026-04-17
CVE-2026-32648 Anviz Products Missing Authorization — Anviz CX7 FirmwareCWE-862 5.3 Medium2026-04-17
CVE-2026-32105 xrdp: RDP MAC signature (dataSignature) never verified on receive — integrity bypass in non-TLS mode — xrdpCWE-354 5.9AIMediumAI2026-04-17
CVE-2026-35061 Anviz Products Missing Authorization — Anviz CX7 FirmwareCWE-862 5.3 Medium2026-04-17
CVE-2026-33093 Anviz Products Missing Authorization — Anviz CX7 FirmwareCWE-862 5.3 Medium2026-04-17
CVE-2026-35215 Firebird: DoS via malicious slice descriptor in slice packet — firebirdCWE-369 7.5 High2026-04-17
CVE-2026-34232 Firebird: DoS via `op_response` packet from client — firebirdCWE-228 7.5 High2026-04-17
CVE-2026-33337 Firebird has a buffer overflow when parsing corrupted slice packets — firebirdCWE-120 7.5 High2026-04-17
CVE-2026-28224 Firebird Null Pointer Dereference via CryptCallback causes DOS — firebirdCWE-476 8.2 High2026-04-17
CVE-2026-27890 Firebird has Pre-Auth DOS when Processing Out of Order CNCT_specific_data Segments — firebirdCWE-119 8.2 High2026-04-17
CVE-2026-28212 Firebird has potential server crash via null pointer dereference when processing op_slice packet — firebirdCWE-476 7.5 High2026-04-17
CVE-2026-5710 Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Limited Arbitrary File Read via mfile Field — Drag and Drop Multiple File Upload for Contact Form 7CWE-22 7.5 High2026-04-17
CVE-2026-5718 Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass — Drag and Drop Multiple File Upload for Contact Form 7CWE-434 8.1 High2026-04-17
CVE-2026-6497 prasathmani TinyFileManager File Upload filemanager.php server-side request forgery — TinyFileManagerCWE-918 6.3 Medium2026-04-17
CVE-2025-15625 Unauthenticated execution of arbitrary SQL queries in Sparx Pro Cloud Server — Sparx Pro Cloud ServerCWE-89 9.8AICriticalAI2026-04-17
CVE-2025-15623 Sparx Pro Cloud Server reveals sensitive information to an unauthenticated user — Sparx Pro Cloud ServerCWE-359 7.5AIHighAI2026-04-17
CVE-2026-6494 Aap-mcp-server: aap mcp server: log injection allows social engineering attacks via unsanitized input — Red Hat Ansible Automation Platform 2CWE-117 5.3 Medium2026-04-17
CVE-2026-6451 CMS für Motorrad Werkstätten <= 1.0.0 - Cross-Site Request Forgery — Plugin: CMS für Motorrad WerkstättenCWE-352 4.3 Medium2026-04-17
CVE-2026-23853 Dell PowerProtect Data Domain 安全漏洞 — PowerProtect Data DomainCWE-1391 8.4 High2026-04-17
CVE-2026-5797 Quiz and Survey Master (QSM) <= 11.1.0 - Unauthenticated Shortcode Injection Leading to Arbitrary Quiz Result Disclosure via Quiz Answer Text Input Fields — Quiz and Survey Master (QSM) – Easy Quiz and Survey MakerCWE-74 5.3 Medium2026-04-17
CVE-2026-5234 LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-639 5.3 Medium2026-04-17
CVE-2026-5807 Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations — VaultCWE-770 7.5 High2026-04-17
CVE-2026-5231 WP Statistics <= 14.16.4 - Unauthenticated Stored Cross-Site Scripting via 'utm_source' Parameter — WP Statistics – Simple, privacy-friendly Google Analytics alternativeCWE-79 7.2 High2026-04-17
CVE-2026-37749 CodeAstro Simple Attendance Management System 安全漏洞 — n/a 9.8AICriticalAI2026-04-17
CVE-2026-40265 Note Mark has Broken Access Control on Asset Download — note-markCWE-862 5.9 Medium2026-04-16
CVE-2026-40263 Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel — note-markCWE-208 3.7 Low2026-04-16

Vulnerabilities classified as access:pre-auth represent 19263 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.