Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19065

19065 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-41287 Stack-based Buffer Overflow in WatchGuard Agent Discovery Service on Windows Causes Denial of Service - Variant A — WatchGuard AgentCWE-121 6.5AIMediumAI2026-05-06
CVE-2026-1719 Gravity Bookings <= 2.5.9 - Unauthenticated SQL Injection via 'category_id' Parameter — Gravity BookingsCWE-89 7.5 High2026-05-06
CVE-2026-43975 Apache Wicket: Possible malicious path traversal in FolderUploadsFileManager — Apache WicketCWE-22 9.1AICriticalAI2026-05-06
CVE-2026-35255 Oracle Cloud Native Environment Command Line Interface 代码注入漏洞 — Oracle Cloud Native Environment Command Line Interface 6.6 Medium2026-05-06
CVE-2026-35254 Oracle OCI CLI 路径遍历漏洞 — Oracle OCI CLI of Oracle Open Source Projects 6.1 Medium2026-05-06
CVE-2026-7332 LatePoint <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting via 'booking_form_page_url' Parameter — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-79 7.2 High2026-05-06
CVE-2026-6344 Fluent Forms <= 6.2.1 - Authenticated (Administrator+) Arbitrary File Read via Path Traversal in Email Attachment — Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form BuilderCWE-22 4.9 Medium2026-05-06
CVE-2026-35253 Oracle Macaron Tool 输入验证错误漏洞 — Oracle Macaron Tool of Oracle Open Source Projects 4.7 Medium2026-05-06
CVE-2026-3208 Mercado Pago payments for WooCommerce <= 8.7.11 - Missing Authorization to Unauthenticated PIX Payment QR Code Image Disclosure — Mercado Pago payments for WooCommerceCWE-862 5.3 Medium2026-05-06
CVE-2026-34473 ZTE多款产品 资源管理错误漏洞 — n/a 7.5AIHighAI2026-05-06
CVE-2026-40075 OpenMRS Core arbitrary file read via path traversal in ModuleResourcesServlet — openmrs-coreCWE-22 7.5 -2026-05-05
CVE-2026-39852 Quarkus authorization bypass via semicolon path normalization inconsistency — quarkusCWE-863 9.1 -2026-05-05
CVE-2026-39849 Pi-hole FTL remote code execution via newline injection in dns.interface configuration — FTLCWE-93 8.8 -2026-05-05
CVE-2026-39383 Gotenberg unauthenticated blind SSRF via unfiltered webhook URL — gotenbergCWE-918 8.2 -2026-05-05
CVE-2026-35579 CoreDNS TSIG authentication bypass on gRPC, QUIC, DoH, and DoH3 transports — corednsCWE-287 7.4 -2026-05-05
CVE-2026-40280 Gotenberg SSRF via case-insensitive URL scheme bypass in webhook and downloadFrom deny-lists — gotenbergCWE-918 5.3 -2026-05-05
CVE-2026-40331 Masa CMS unauthenticated SQL injection via altTable parameter in JSON API — MasaCMSCWE-89 9.8 -2026-05-05
CVE-2026-40330 Masa CMS SQL injection via sortDirection parameter in beanFeed — MasaCMSCWE-89 9.8 -2026-05-05
CVE-2026-40329 SQL Injection vulnerability via sortBy in beanFeed — MasaCMSCWE-89 9.8 -2026-05-05
CVE-2026-32936 CoreDNS DoH GET path missing size validation causes CPU and memory amplification — corednsCWE-400 7.5 -2026-05-05
CVE-2026-32934 CoreDNS DNS-over-QUIC unbounded goroutine growth leads to denial of service — corednsCWE-770 7.5 -2026-05-05
CVE-2026-33190 CoreDNS TSIG authentication bypass on encrypted DNS transports — corednsCWE-303 7.4 -2026-05-05
CVE-2026-27960 OpenCTI privilege escalation and unauthenticated access via default admin account — openctiCWE-287 9.8 Critical2026-05-05
CVE-2026-32689 Long-poll NDJSON body splitting causes unbounded memory allocation in Phoenix — phoenixCWE-770 7.5 -2026-05-05
CVE-2026-7412 Eclipse BaSyx Java Server SDK 代码问题漏洞 — Eclipse BaSyxCWE-918 8.6 High2026-05-05
CVE-2026-7411 Eclipse BaSyx Java Server SDK 路径遍历漏洞 — Eclipse BaSyxCWE-22 10.0 Critical2026-05-05
CVE-2026-4304 WeePie Cookie Allow <= 3.4.11 - Unauthenticated SQL Injection via 'consent' Parameter — WeePie Cookie AllowCWE-89 7.5 High2026-05-05
CVE-2023-54349 AmazCart CMS 3.4 Reflected Cross-Site Scripting via Search — AmazCart CMSCWE-79 6.1 Medium2026-05-05
CVE-2023-54346 WordPress Plugin Backup Migration 1.2.8 Unauthenticated Database Backup Download — WordPress Plugin Backup MigrationCWE-538 7.5 High2026-05-05
CVE-2023-54344 Eclipse Equinox OSGi 3.7.2 Remote Code Execution via Console — [OSGiCWE-306 9.8 Critical2026-05-05

Vulnerabilities classified as access:pre-auth represent 19065 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.