Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19253

19253 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-5724 Missing Authentication on Streaming gRPC Replication Endpoint — temporalCWE-306 5.9 -2026-04-10
CVE-2026-40242 Arcane Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint — arcaneCWE-918 7.2 High2026-04-10
CVE-2026-40189 goshs has a file-based ACL authorization bypass in goshs state-changing routes — goshsCWE-862 9.8AICriticalAI2026-04-10
CVE-2026-33707 Weak Password Recovery Mechanism for Forgotten Password in chamilo/chamilo-lms — chamilo-lmsCWE-640 9.4 Critical2026-04-10
CVE-2026-33705 Chamilo LMS has unauthenticated access to Twig template source files exposes application logic — chamilo-lmsCWE-538 5.3 Medium2026-04-10
CVE-2026-33698 Chamilo LMS affected by unauthenticated RCE in main/install folder — chamilo-lmsCWE-552 9.8 -2026-04-10
CVE-2026-33618 Chamilo LMS Affected by Remote Code Execution via eval() in Platform Settings — chamilo-lmsCWE-95 8.8 High2026-04-10
CVE-2026-40163 Saltcorn has an Unauthenticated Path Traversal in sync endpoints allows arbitrary file write and directory read — saltcornCWE-22 8.2 High2026-04-10
CVE-2026-40100 FastGPT has Unauthenticated SSRF in /api/core/app/mcpTools/runTool via missing CHECK_INTERNAL_IP default — FastGPTCWE-918 5.3 Medium2026-04-10
CVE-2026-40086 Rembg has a Path Traversal via Custom Model Loading — rembgCWE-22 5.3 Medium2026-04-10
CVE-2026-35665 OpenClaw < 2026.3.24 - Denial of Service via Feishu Webhook Pre-Auth Body Parsing — OpenClawCWE-405 5.3 Medium2026-04-10
CVE-2026-5777 Security Misconfiguration Vulnerability in Atom 3x Projector — Atom 3X ProjectorCWE-306 8.8 -2026-04-10
CVE-2026-6057 Unauthenticated Path Traversal in FalkorDB Browser Leads to Remote Code Execution — FalkorDB BrowserCWE-22 9.8 -2026-04-10
CVE-2026-4432 YITH WooCommerce Wishlist < 4.13.0 - Unauthenticated Arbitrary Wishlist Renaming via IDOR — YITH WooCommerce Wishlist 5.3 -2026-04-10
CVE-2026-4305 Royal WordPress Backup & Restore Plugin <= 1.0.16 - Reflected Cross-Site Scripting via 'wpr_pending_template' Parameter — Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites SafelyCWE-79 6.1 Medium2026-04-10
CVE-2026-1924 Aruba HiSpeed Cache <= 3.0.4 - Cross-Site Request Forgery to Plugin Settings Reset — Aruba HiSpeed CacheCWE-352 4.3 Medium2026-04-10
CVE-2026-3360 Tutor LMS <= 3.9.7 - Missing Authorization to Unauthenticated Arbitrary Billing Profile Overwrite via 'order_id' Parameter — Tutor LMS – eLearning and online course solutionCWE-862 7.5 High2026-04-10
CVE-2026-4664 Customer Reviews for WooCommerce <= 5.103.0 - Unauthenticated Authentication Bypass to Arbitrary Review Submission via 'key' Parameter — Customer Reviews for WooCommerceCWE-287 5.3 Medium2026-04-10
CVE-2026-23782 BMC Control-M/MFT 安全漏洞 — n/a 9.8 -2026-04-10
CVE-2026-34424 Smart Slider 3 Pro 3.5.1.35 Supply Chain Attack Remote Access Toolkit — Smart Slider 3 Pro for WordPressCWE-506 9.8 Critical2026-04-09
CVE-2026-5778 Integer underflow leads to out-of-bounds access in sniffer ChaCha decrypt path. — wolfSSLCWE-191 7.5AIHighAI2026-04-09
CVE-2026-33784 JSI Virtual Lightweight Collector: Default password is not required to be changed which allows unauthorized high-privileged access — JSI LWCCWE-1393 9.8 Critical2026-04-09
CVE-2026-33781 Junos OS: EX Series, QFX Series: In a VXLAN scenario when specific control protocol packets are received, memory leaks and eventually no traffic is passed — Junos OSCWE-754 6.5 Medium2026-04-09
CVE-2026-33778 Junos OS: SRX Series, MX Series: When a specifically malformed first ISAKMP packet is received kmd/iked crashes — Junos OSCWE-1286 7.5 High2026-04-09
CVE-2026-33774 Junos OS: MX Series: Firewall filters on lo0.<non-0> in the default routing instance are not in effect — Junos OSCWE-754 6.5 Medium2026-04-09
CVE-2026-33771 CTP OS: Configuring password requirements does not work which permits the use of weak passwords — CTP OSCWE-521 7.4 High2026-04-09
CVE-2025-13914 Apstra: SSH host key validation vulnerability for managed devices — ApstraCWE-322 8.7 High2026-04-09
CVE-2026-33797 Junos OS and Junos OS Evolved: An attacker sending a specific genuine BGP packet causes a BGP reset — Junos OSCWE-20 7.4 High2026-04-09
CVE-2026-33775 Junos OS: MX Series: Mismatch between configured and received packet types causes memory leak in bbe-smgd — Junos OSCWE-401 6.5 Medium2026-04-09
CVE-2026-40151 PraisonAI Affected by Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS — PraisonAICWE-200 5.3 Medium2026-04-09

Vulnerabilities classified as access:pre-auth represent 19253 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.