Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19070

19070 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-4267 Query Monitor <= 3.20.3 - Reflected Cross-Site Scripting via Request URI — Query MonitorCWE-79 7.2 High2026-03-31
CVE-2026-3191 Minify HTML <= 2.1.12 - Cross-Site Request Forgery to Plugin Settings Update — Minify HTMLCWE-352 5.4 Medium2026-03-31
CVE-2026-32916 OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthetic Admin Scopes — OpenClawCWE-266 9.4 Critical2026-03-31
CVE-2026-3881 Performance Monitor <= 1.0.6 - Unauthenticated Blind SSRF — Performance Monitor 9.1AICriticalAI2026-03-31
CVE-2026-1877 Auto Post Scheduler <= 1.84 - Cross-Site Request Forgery to Stored Cross-Site Scripting via aps_options_page — Auto Post SchedulerCWE-79 6.1 Medium2026-03-31
CVE-2026-4146 Loco Translate <= 2.8.2 - Reflected Cross-Site Scripting via 'update_href' Parameter — Loco TranslateCWE-79 6.1 Medium2026-03-31
CVE-2026-1710 WooPayments <= 10.5.1 - Missing Authorization to Unauthenticated Plugin Settings Update via save_upe_appearance_ajax — WooPayments: Integrated WooCommerce PaymentsCWE-285 6.5 Medium2026-03-31
CVE-2026-1797 Truebooker - Appointment Booking and Scheduler Plugin <= 1.1.4 - Sensitive Information Exposure via Views Files — TrueBooker – Appointment Booking and Scheduler SystemCWE-862 5.3 Medium2026-03-31
CVE-2026-3300 Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field — Everest Forms ProCWE-94 9.8 Critical2026-03-31
CVE-2026-4020 Gravity SMTP <= 2.1.4 - Unauthenticated Sensitive Information Exposure via REST API — Gravity SMTPCWE-200 7.5 High2026-03-31
CVE-2026-30878 baserCMS: Mail Form Acceptance Bypass via Public API — basercmsCWE-285 5.3 Medium2026-03-31
CVE-2026-5130 Debugger & Troubleshooter <= 1.3.2 - Unauthenticated Privilege Escalation to Administrator via Cookie Manipulation — Debugger & TroubleshooterCWE-565 8.8 High2026-03-30
CVE-2026-4257 Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality — Contact Form by SupsysticCWE-94 9.8 Critical2026-03-30
CVE-2026-31831 Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint — TautulliCWE-23 7.5 -2026-03-30
CVE-2026-31804 Tautulli: Unauthenticated pms_image_proxy endpoint proxies arbitrary HTTP requests through the Plex Media Server — TautulliCWE-918 4.0 Medium2026-03-30
CVE-2026-33032 Nginx UI: Unauthenticated MCP Endpoint Allows Remote Nginx Takeover — nginx-uiCWE-306 9.8 Critical2026-03-30
CVE-2026-3321 Authorization Bypass in ON24 Q&A chat — ON24 Q&A chatCWE-639 7.5 -2026-03-30
CVE-2026-4415 GIGABYTE|Gigabyte Control Center - Arbitrary File Write — Gigabyte Control CenterCWE-23 8.1 High2026-03-30
CVE-2026-3945 Tinyproxy 安全漏洞 — tinyproxyCWE-190 7.5 High2026-03-30
CVE-2026-2328 Backend Access Due to Insufficient Input Validation — Device SphereCWE-790 7.5 High2026-03-30
CVE-2026-3124 Download Monitor <= 5.1.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Order Completion via 'token' and 'order_id' — Download MonitorCWE-639 7.5 High2026-03-30
CVE-2026-34472 ZTE ZXHN H188A 安全漏洞 — n/a 8.4 -2026-03-30
CVE-2026-29872 Awesome LLM Apps 安全漏洞 — n/a 7.5 -2026-03-30
CVE-2026-29909 MRCMS 安全漏洞 — n/a 5.3 -2026-03-30
CVE-2026-0558 Unauthenticated File Upload in parisneo/lollms — parisneo/lollmsCWE-287 9.8 -2026-03-29
CVE-2026-32980 OpenClaw < 2026.3.13 - Resource Exhaustion via Unauthenticated Telegram Webhook Request — OpenClawCWE-770 7.5 High2026-03-29
CVE-2026-32974 OpenClaw < 2026.3.12 - Forged Event Injection via Feishu Webhook Verification Token — OpenClawCWE-347 8.6 High2026-03-29
CVE-2018-25225 SIPP 3.3 Stack-Based Buffer Overflow via Configuration File — SIPPCWE-306 8.4 High2026-03-28
CVE-2018-25224 PMS 0.42 Stack-Based Buffer Overflow via Configuration File — PMSCWE-306 8.4 High2026-03-28
CVE-2026-2442 Pagelayer <= 2.0.7 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via 'email' — Page Builder: Pagelayer – Drag and Drop website builderCWE-93 5.3 Medium2026-03-28

Vulnerabilities classified as access:pre-auth represent 19070 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.