Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19386

19386 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-33314 pyload-ng: Improper Authentication and Origin Validation Error — pyloadCWE-287 6.5 Medium2026-03-24
CVE-2026-29772 Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands — astroCWE-770 5.9 Medium2026-03-24
CVE-2026-23923 Unauthenticated arbitrary PHP class instantiation — ZabbixCWE-470 9.8 -2026-03-24
CVE-2026-33538 Parse Server: Denial of service via unindexed database query for unconfigured auth providers — parse-serverCWE-400 7.5 -2026-03-24
CVE-2026-33498 Parse Server: Query condition depth bypass via pre-validation transform pipeline — parse-serverCWE-674 7.5 -2026-03-24
CVE-2026-2417 Missing Authentication for Critical Function in Pharos Controls Mosaic Show Controller — Mosaic Show ControllerCWE-306 9.8 -2026-03-24
CVE-2026-33323 Parse Server: Email verification resend page leaks user existence — parse-serverCWE-204 5.3 -2026-03-24
CVE-2026-33160 Craft CMS: Anonymous "generate transform" calls for assets can expose private assets via transform URL — cmsCWE-639 5.3 -2026-03-24
CVE-2026-33159 Craft CMS: Unauthenticated users could execute project configuration sync operations that should be restricted trusted users — cmsCWE-306 8.6 -2026-03-24
CVE-2026-33340 LoLLMs WEBUI has unauthenticated Server-Side Request Forgery (SSRF) in /api/proxy endpoint — lollms-webuiCWE-306 9.1 Critical2026-03-24
CVE-2026-33484 Langflow has Unauthenticated IDOR on Image Downloads — langflowCWE-284 7.5 High2026-03-24
CVE-2026-33475 Langflow GitHub Actions Shell Injection — langflowCWE-74 9.1 Critical2026-03-24
CVE-2019-25643 eNdonesia Portal v8.7 SQL Injection via banners.php — eNdonesia PortalCWE-89 8.2 High2026-03-24
CVE-2019-25642 Bootstrapy CMS Lastest Multiple SQL Injection via Forum and Contact Modules — Bootstrapy CMSCWE-89 8.2 High2026-03-24
CVE-2019-25641 Netartmedia Vlog System Lastest SQL Injection via email Parameter — Netartmedia Vlog SystemCWE-89 8.2 High2026-03-24
CVE-2019-25640 Inout Article Base CMS Lastest SQL Injection via portalLogin.php — Inout Article Base CMSCWE-89 8.2 High2026-03-24
CVE-2019-25639 Matrimony Website Script M-Plus Multiple SQL Injection — Matrimony Website ScriptCWE-89 8.2 High2026-03-24
CVE-2019-25638 Meeplace Business Review Script Lastest SQL Injection via addclick.php — Meeplace Business Review ScriptCWE-89 7.1 High2026-03-24
CVE-2019-25636 Zeeways Jobsite CMS Lastest SQL Injection via id Parameter — Zeeways Jobsite CMSCWE-89 8.2 High2026-03-24
CVE-2019-25635 Zeeways Matrimony CMS Lastest SQL Injection via profile_list — Zeeways Matrimony CMSCWE-89 8.2 High2026-03-24
CVE-2019-25632 phpFileManager 1.7.8 Local File Inclusion via index.php — phpFileManagerCWE-306 6.2 Medium2026-03-24
CVE-2026-4649 Auth bypass in Apache Artemis allows reading all internal messages — KNIME Business HubCWE-306 6.5 -2026-03-24
CVE-2026-3509 CODESYS Control Audit Log Format String DoS — CODESYS Control RTE (SL)CWE-134 7.5 High2026-03-24
CVE-2026-4283 WP DSGVO Tools (GDPR) <= 3.1.38 - Missing Authorization to Unauthenticated Account Destruction of Non-Admin Users — WP DSGVO Tools (GDPR)CWE-862 9.1 Critical2026-03-24
CVE-2026-4662 JetEngine <= 3.8.6.1 - Unauthenticated SQL Injection via Listing Grid 'filtered_query' Parameter — JetEngineCWE-89 7.5 High2026-03-24
CVE-2026-3138 Product Filter for WooCommerce by WBW <= 3.1.2 - Missing Authorization to Unauthenticated Filter Data Deletion via TRUNCATE TABLE — Product Filter for WooCommerce by WBWCWE-862 6.5 Medium2026-03-24
CVE-2026-4640 Galaxy Software Services|Vitals ESP - Missing Authentication — Vitals ESPCWE-306 7.5 High2026-03-24
CVE-2026-3260 Undertow: undertow: denial of service due to premature multipart/form-data parsing in get requests — Red Hat build of Apache Camel for Spring Boot 4CWE-770 5.9 Medium2026-03-24
CVE-2026-30655 e-SIC Livre 安全漏洞 — n/a 7.5 -2026-03-24
CVE-2026-33283 Ella Core panics on malformed ULNASTransport Message without a Request Type — coreCWE-476 6.5 Medium2026-03-23

Vulnerabilities classified as access:pre-auth represent 19386 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.