Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19411

19411 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-34732 AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints — AVideoCWE-306 5.3 Medium2026-03-31
CVE-2026-34731 AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php — AVideoCWE-306 7.5 High2026-03-31
CVE-2026-34381 Admidio: Unauthenticated Access to Role-Restricted documents via neutralized .htaccess — admidioCWE-284 7.5 High2026-03-31
CVE-2026-1579 PX4 Autopilot Missing authentication for critical function — AutopilotCWE-306 9.8 Critical2026-03-31
CVE-2026-34361 HAPI FHIR: Unauthenticated SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft — org.hl7.fhir.coreCWE-552 9.3 Critical2026-03-31
CVE-2026-34360 HAPI FHIR: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing — org.hl7.fhir.coreCWE-918 5.8 Medium2026-03-31
CVE-2026-34240 jose vulnerable to untrusted JWK header key acceptance during signature verification — joseCWE-347 7.5 High2026-03-31
CVE-2026-34227 Sliver One-Click Remote Access: Insecure CORS & Unauthenticated MCP Interface — sliverCWE-306 8.8AIHighAI2026-03-31
CVE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS — parse-serverCWE-407 7.5AIHighAI2026-03-31
CVE-2026-34532 Parse Server: Cloud function validator bypass via prototype chain traversal — parse-serverCWE-863 9.1AICriticalAI2026-03-31
CVE-2026-34202 Zebra node crash — V5 transaction hash panic (P2P reachable) — zebraCWE-1336 7.5AIHighAI2026-03-31
CVE-2026-4267 Query Monitor <= 3.20.3 - Reflected Cross-Site Scripting via Request URI — Query MonitorCWE-79 7.2 High2026-03-31
CVE-2026-3191 Minify HTML <= 2.1.12 - Cross-Site Request Forgery to Plugin Settings Update — Minify HTMLCWE-352 5.4 Medium2026-03-31
CVE-2026-32916 OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthetic Admin Scopes — OpenClawCWE-266 9.4 Critical2026-03-31
CVE-2026-3881 Performance Monitor <= 1.0.6 - Unauthenticated Blind SSRF — Performance Monitor 9.1AICriticalAI2026-03-31
CVE-2026-1877 Auto Post Scheduler <= 1.84 - Cross-Site Request Forgery to Stored Cross-Site Scripting via aps_options_page — Auto Post SchedulerCWE-79 6.1 Medium2026-03-31
CVE-2026-4146 Loco Translate <= 2.8.2 - Reflected Cross-Site Scripting via 'update_href' Parameter — Loco TranslateCWE-79 6.1 Medium2026-03-31
CVE-2026-1797 Truebooker - Appointment Booking and Scheduler Plugin <= 1.1.4 - Sensitive Information Exposure via Views Files — TrueBooker – Appointment Booking and Scheduler SystemCWE-862 5.3 Medium2026-03-31
CVE-2026-1710 WooPayments <= 10.5.1 - Missing Authorization to Unauthenticated Plugin Settings Update via save_upe_appearance_ajax — WooPayments: Integrated WooCommerce PaymentsCWE-285 6.5 Medium2026-03-31
CVE-2026-3300 Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field — Everest Forms ProCWE-94 9.8 Critical2026-03-31
CVE-2026-4020 Gravity SMTP <= 2.1.4 - Unauthenticated Sensitive Information Exposure via REST API — Gravity SMTPCWE-200 7.5 High2026-03-31
CVE-2026-30878 baserCMS: Mail Form Acceptance Bypass via Public API — basercmsCWE-285 5.3 Medium2026-03-31
CVE-2026-5130 Debugger & Troubleshooter <= 1.3.2 - Unauthenticated Privilege Escalation to Administrator via Cookie Manipulation — Debugger & TroubleshooterCWE-565 8.8 High2026-03-30
CVE-2026-4257 Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality — Contact Form by SupsysticCWE-94 9.8 Critical2026-03-30
CVE-2026-31831 Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint — TautulliCWE-23 7.5 -2026-03-30
CVE-2026-31804 Tautulli: Unauthenticated pms_image_proxy endpoint proxies arbitrary HTTP requests through the Plex Media Server — TautulliCWE-918 4.0 Medium2026-03-30
CVE-2026-33032 Nginx UI: Unauthenticated MCP Endpoint Allows Remote Nginx Takeover — nginx-uiCWE-306 9.8 Critical2026-03-30
CVE-2026-3321 Authorization Bypass in ON24 Q&A chat — ON24 Q&A chatCWE-639 7.5 -2026-03-30
CVE-2026-4415 GIGABYTE|Gigabyte Control Center - Arbitrary File Write — Gigabyte Control CenterCWE-23 8.1 High2026-03-30
CVE-2026-3945 Tinyproxy 安全漏洞 — tinyproxyCWE-190 7.5 High2026-03-30

Vulnerabilities classified as access:pre-auth represent 19411 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.