Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19534

19534 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-40263 Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel — note-markCWE-208 3.7 Low2026-04-16
CVE-2026-40248 free5gc UDR improper path validation allows unauthenticated creation and modification of Traffic Influence Subscriptions — free5gcCWE-285 7.5AIHighAI2026-04-16
CVE-2026-40247 free5gc UDR improper path validation allows unauthenticated access to Traffic Influence Subscriptions — free5gcCWE-285 5.3AIMediumAI2026-04-16
CVE-2026-40246 free5gc UDR improper path validation allows unauthenticated deletion of Traffic Influence Subscriptions — free5gcCWE-285 5.3AIMediumAI2026-04-16
CVE-2026-40308 My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog — my-calendarCWE-639 7.5AIHighAI2026-04-16
CVE-2026-39313 MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport — mcp-frameworkCWE-770 7.5AIHighAI2026-04-16
CVE-2025-36579 Dell Client Platform BIOS 安全漏洞 — Dell Pro 14 Essential PV14250CWE-640 5.1 Medium2026-04-16
CVE-2026-6270 @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes — @fastify/middieCWE-436 9.1 Critical2026-04-16
CVE-2026-6410 @fastify/static vulnerable to path traversal in directory listing — @fastify/staticCWE-22 5.3 Medium2026-04-16
CVE-2026-4160 Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification — Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form BuilderCWE-639 5.3 Medium2026-04-16
CVE-2026-31843 Для национальных платежных систем в Узбекистане 安全漏洞 — pay-uzCWE-284 9.8 Critical2026-04-16
CVE-2026-3489 DirectoryPress – Business Directory And Classified Ad Listing <= 3.6.26 - Unauthenticated SQL Injection via 'packages' — DirectoryPress – Business Directory And Classified Ad ListingCWE-89 7.5 High2026-04-16
CVE-2026-0718 Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX <= 5.0.5 - Missing Authorization to Limited Post Meta Modification — Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostXCWE-862 5.3 Medium2026-04-16
CVE-2025-14868 Career Section <= 1.6 - Cross-Site Request Forgery to Arbitrary File Deletion — Career SectionCWE-22 8.8 High2026-04-16
CVE-2026-3876 Prismatic <= 3.7.3 - Unauthenticated Stored Cross-Site Scripting via 'prismatic_encoded' Pseudo-Shortcode — PrismaticCWE-79 7.2 High2026-04-16
CVE-2026-3355 Customer Reviews for WooCommerce <= 5.101.0 - Reflected Cross-Site Scripting via 'crsearch' — Customer Reviews for WooCommerceCWE-79 6.1 Medium2026-04-16
CVE-2026-3581 Basic Google Maps Placemarks <= 1.10.7 - Missing Authorization to Unauthenticated Default Map Coordinate Update — Basic Google Maps PlacemarksCWE-862 5.3 Medium2026-04-16
CVE-2026-3599 Riaxe Product Customizer <= 2.1.2 - Unauthenticated SQL Injection via 'options' Parameter Keys in product_data — Riaxe Product CustomizerCWE-89 7.5 High2026-04-16
CVE-2026-5050 Payment Gateway for Redsys & WooCommerce Lite <= 7.0.0 - Improper Verification of Cryptographic Signature to Unauthenticated Payment Status Manipulation — Payment Gateway for Redsys & WooCommerce LiteCWE-347 7.5 High2026-04-16
CVE-2026-3595 Riaxe Product Customizer <= 2.1.2 - Unauthenticated Arbitrary User Deletion via 'user_id' Parameter — Riaxe Product CustomizerCWE-862 5.3 Medium2026-04-16
CVE-2026-3596 Riaxe Product Customizer <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Options Update to Privilege Escalation via 'install-imprint' AJAX Action — Riaxe Product CustomizerCWE-862 9.8 Critical2026-04-16
CVE-2026-4032 CodeColorer <= 0.10.1 - Unauthenticated Stored Cross-Site Scripting via 'class' attribute in 'cc' Comment Shortcode — CodeColorerCWE-79 6.1 Medium2026-04-16
CVE-2026-6351 Openfind|MailGates/MailAudit - CRLF Injection — MailGatesCWE-93 7.5 High2026-04-16
CVE-2026-6350 Openfind|MailGates/MailAudit - Stack-based Buffer Overflow — MailGatesCWE-121 9.8 Critical2026-04-16
CVE-2026-6349 HGiga|iSherlock - OS Command Injection — iSherlock-base-4.5CWE-78 9.8 Critical2026-04-16
CVE-2026-37100 Yamaha SR-B30A 安全漏洞 — n/a 8.1AIHighAI2026-04-16
CVE-2026-30459 FUEL CMS 安全漏洞 — n/a 8.1AIHighAI2026-04-16
CVE-2026-4880 Barcode Scanner (+Mobile App) <= 1.11.0 - Unauthenticated Privilege Escalation via Insecure Token Authentication — Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale)CWE-269 9.8 Critical2026-04-15
CVE-2026-40245 Free5GC: UDR nudr-dr influenceData/subs-to-notify leaks SUPI in error response body without authentication — free5gcCWE-200 7.5 High2026-04-15
CVE-2026-40173 Dgraph: Unauthenticated pprof endpoint leaks admin auth token — dgraphCWE-200 9.4 Critical2026-04-15

Vulnerabilities classified as access:pre-auth represent 19534 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.