Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19263

19263 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-4069 Alfie – Feed Plugin <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'naam' Parameter — Alfie – Feed PluginCWE-79 6.1 Medium2026-03-21
CVE-2026-3506 WP-Chatbot for Messenger <= 4.9 - Missing Authorization to Unauthenticated Chatbot Configuration Takeover — WP-Chatbot for MessengerCWE-862 5.3 Medium2026-03-21
CVE-2026-2277 rexCrawler <= 1.0.15 - Reflected Cross-Site Scripting via 'url' and 'regex' Parameters — rexCrawlerCWE-79 6.1 Medium2026-03-21
CVE-2026-1390 Redirect countdown <= 1.0 - Cross-Site Request Forgery to Settings Update — Redirect countdownCWE-352 4.3 Medium2026-03-21
CVE-2026-1378 WP Posts Re-order <= 1.0 - Cross-Site Request Forgery to Settings Update — WP Posts Re-orderCWE-352 4.3 Medium2026-03-21
CVE-2026-1393 Add Google Social Profiles to Knowledge Graph Box <= 1.0 - Cross-Site Request Forgery to Settings Update — Add Google Social Profiles to Knowledge Graph BoxCWE-352 4.3 Medium2026-03-21
CVE-2026-2375 App Builder – Create Native Android & iOS Apps On The Flight <= 5.5.10 - Unauthenticated Privilege Escalation via 'role' Parameter — App Builder – Create Native Android & iOS Apps On The FlightCWE-269 6.5 Medium2026-03-21
CVE-2026-1800 Fonts Manager | Custom Fonts <= 1.2 - Unauthenticated SQL Injection via fmcfIdSelectedFnt parameter — Fonts Manager | Custom FontsCWE-89 7.5 High2026-03-21
CVE-2026-3335 Canto <= 3.1.1 - Missing Authorization to Unauthenticated File Upload — CantoCWE-862 5.3 Medium2026-03-21
CVE-2026-2440 SurveyJS: Drag & Drop Form Builder <= 2.5.3 - Unauthenticated Stored Cross-Site Scripting — SurveyJS: Drag & Drop Form BuilderCWE-79 7.2 High2026-03-21
CVE-2026-3570 Smarter Analytics <= 2.0 - Missing Authorization to Unauthenticated Plugin Settings Reset via 'reset' Parameter — Smarter AnalyticsCWE-862 5.3 Medium2026-03-21
CVE-2026-4302 WowOptin: Next-Gen Popup Maker <= 1.4.29 - Unauthenticated Server-Side Request Forgery via 'link' Parameter in REST API — WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead GenerationCWE-918 7.2 High2026-03-21
CVE-2026-32896 OpenClaw < 2026.2.21 - Unauthenticated Webhook Access via Passwordless Fallback in BlueBubbles Plugin — OpenClawCWE-306 4.8 Medium2026-03-21
CVE-2026-32064 OpenClaw < 2026.2.21 - Missing VNC Authentication in Sandbox Browser noVNC Observer — OpenClawCWE-306 7.7 High2026-03-21
CVE-2026-3572 iTracker360 <= 2.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'itracker_license' Settings Field — iTracker360CWE-79 6.1 Medium2026-03-20
CVE-2026-3368 Injection Guard <= 1.2.9 - Unauthenticated Stored Cross-Site Scripting via Query Parameter Name — Injection GuardCWE-79 7.2 High2026-03-20
CVE-2026-33427 Discourse Authorization Page Displays Unvalidated Redirect Domain — discourseCWE-862 4.3 -2026-03-20
CVE-2026-33425 Discourse has inferable private group membership or existence via exclude_groups parameter — discourseCWE-203 5.3 -2026-03-20
CVE-2026-29796 IGL-Technologies eParking.fi Missing Authentication for Critical Function — eParking.fiCWE-306 9.4 Critical2026-03-20
CVE-2026-33231 NLTK has unauthenticated remote shutdown in nltk.app.wordnet_app — nltkCWE-306 7.5 High2026-03-20
CVE-2026-25192 CTEK Chargeportal Missing Authentication for Critical Function — ChargeportalCWE-306 9.4 Critical2026-03-20
CVE-2026-33204 SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering — simplejwtCWE-400 7.5 High2026-03-20
CVE-2026-33476 SiYuan has an Unauthenticated Arbitrary File Read via Path Traversal — siyuanCWE-22 7.5 High2026-03-20
CVE-2026-33203 SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass — siyuanCWE-248 7.5 High2026-03-20
CVE-2026-23536 Feast: unauthenticated arbitrary file read — Red Hat OpenShift AI (RHOAI)CWE-22 7.5 High2026-03-20
CVE-2026-3584 Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process — Kali Forms — Contact Form & Drag-and-Drop BuilderCWE-94 9.8 Critical2026-03-20
CVE-2026-33143 OneUptime: WhatsApp Webhook Missing Signature Verification — oneuptimeCWE-345 5.3 -2026-03-20
CVE-2026-29794 Vikunja has Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers — vikunjaCWE-807 5.3 Medium2026-03-20
CVE-2026-32595 Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration — traefikCWE-208 3.7 -2026-03-20
CVE-2026-33072 FileRise: Default Encryption Key Enables Token Forgery and Config Decryption — FileRiseCWE-798 8.2 High2026-03-20

Vulnerabilities classified as access:pre-auth represent 19263 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.