Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19070

19070 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-35604 File Browser share links remain accessible after Share/Download permissions are revoked — filebrowserCWE-863 4.3AIMediumAI2026-04-07
CVE-2026-35584 FreeScout has an Unauthenticated IDOR in Open Tracking Endpoint Allows Cross-Conversation Thread Manipulation and Enumeration — freescoutCWE-306 8.2AIHighAI2026-04-07
CVE-2026-35526 Strawberry GraphQL affected by a Denial of Service via unbounded WebSocket subscriptions — strawberryCWE-770 7.5 High2026-04-07
CVE-2026-35487 text-generation-webui has a Path Traversal in load_prompt() — .txt file read without authentication — text-generation-webuiCWE-22 5.3 Medium2026-04-07
CVE-2026-35485 text-generation-webui has a Path Traversal in load_grammar() — arbitrary file read without authentication — text-generation-webuiCWE-22 7.5 High2026-04-07
CVE-2026-35484 text-generation-webui has a Path Traversal in load_preset() — .yaml file read without authentication — text-generation-webuiCWE-22 5.3 Medium2026-04-07
CVE-2026-35483 text-generation-webui has a Path Traversal in load_template() — .jinja/.yaml/.yml file read without authentication — text-generation-webuiCWE-22 5.3 Medium2026-04-07
CVE-2026-35457 libp2p-rust has unbounded rendezvous DISCOVER cookies enable remote memory exhaustion — rust-libp2pCWE-770 8.2 High2026-04-07
CVE-2026-22679 Weaver E-cology 10.0 Unauthenticated RCE via dubboApi Debug Endpoint — E-cologyCWE-306 9.8 Critical2026-04-07
CVE-2021-4473 Tianxin Internet Behavior Management System Command Injection via toQuery.php — Tianxin Internet Behavior Management SystemCWE-78 9.8 Critical2026-04-07
CVE-2026-28808 ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch) — OTPCWE-863 9.8AICriticalAI2026-04-07
CVE-2026-31842 Tinyproxy HTTP request parsing desynchronization via case-sensitive Transfer-Encoding handling — TinyproxyCWE-444 7.5 High2026-04-07
CVE-2026-4420 Stored XSS via Page Creating functionality in Bludit — BluditCWE-79 5.4AIMediumAI2026-04-07
CVE-2026-3177 Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.9.7 - Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook — Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & MoreCWE-345 5.3 Medium2026-04-07
CVE-2026-1900 Link Whisper Free < 0.9.1 - Unauthenticated Settings and User Meta Update — Link Whisper Free 5.3AIMediumAI2026-04-07
CVE-2025-15611 Popup Box AYS Pro < 5.5.0 - Admin+ Stored Cross-Site Scripting (XSS) via CSRF — Popup Box 7.1AIHighAI2026-04-07
CVE-2026-0740 Ninja Forms - File Upload <= 3.3.26 - Unauthenticated Arbitrary File Upload — Ninja Forms - File UploadsCWE-434 9.8 Critical2026-04-07
CVE-2025-56015 GenieACS 安全漏洞 — n/a 9.8AICriticalAI2026-04-07
CVE-2026-31272 MRCMS 安全漏洞 — n/a 9.8AICriticalAI2026-04-07
CVE-2026-31271 production_ssm 安全漏洞 — n/a 9.8AICriticalAI2026-04-07
CVE-2026-35449 WWBN AVideo has Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php — AVideoCWE-200 5.3 Medium2026-04-06
CVE-2026-35413 Directus GraphQL Schema SDL Disclosure Setting — directusCWE-200 5.3 Medium2026-04-06
CVE-2026-22675 OCS Inventory NG Server Stored XSS via User-Agent — OCS Inventory NG ServerCWE-79 5.4 Medium2026-04-06
CVE-2026-35185 HAX CMS's public /server-status endpoint exposes authentication tokens, user activity, and client IP addresses — HAXiamCWE-284 7.5AIHighAI2026-04-06
CVE-2026-35179 WWBN AVideo Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php — AVideoCWE-862 5.3 Medium2026-04-06
CVE-2026-35036 Ech0 Affected by Unauthenticated Server-Side Request Forgery in Website Preview Feature — Ech0CWE-918 7.5 High2026-04-06
CVE-2026-35030 LiteLLM has an authentication bypass via OIDC userinfo cache key collision — litellmCWE-287 6.5AIMediumAI2026-04-06
CVE-2026-34981 whisperX REST API: SSRF in download_from_url() — URL validation happens after HTTP request, extension bypass via .mp3 — whisperX-FastAPICWE-918 5.8 Medium2026-04-06
CVE-2026-34977 Aperi'Solve Affected by Unauthenticated RCE via JPSeek Analyzer Command — AperiSolveCWE-78 9.8AICriticalAI2026-04-06
CVE-2026-34976 Dgraph Affected by Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization — dgraphCWE-862 10.0 Critical2026-04-06

Vulnerabilities classified as access:pre-auth represent 19070 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.