Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19065

19065 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2023-54342 Eclipse Equinox OSGi 3.8-3.18 Console Remote Code Execution — [OSGiCWE-306 9.8 Critical2026-05-05
CVE-2026-3359 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.42 - Unauthenticated SQL Injection via 'inputs' — Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form BuilderCWE-89 7.5 High2026-05-05
CVE-2026-5192 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.52.1 - Unauthenticated Arbitrary File Read via 'upload-1[file][file_path]' — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-22 7.5 High2026-05-05
CVE-2026-2729 Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.52.0 - Missing Authorization to Unauthenticated Stripe PaymentIntent Reuse / Underpayment Bypass via 'paymentid' Parameter — Forminator Forms – Contact Form, Payment Form & Custom Form BuilderCWE-639 5.3 Medium2026-05-05
CVE-2026-4362 ElementsKit Elementor Addons <= 3.8.2 - Missing Authorization to Unauthenticated Widget Content Overwrite — ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for ElementorCWE-862 6.5 Medium2026-05-05
CVE-2026-4803 Royal Addons for Elementor <= 1.7.1056 - Unauthenticated Stored Cross-Site Scripting via 'status' Parameter in wpr_update_form_action_meta — Royal Addons for Elementor – Addons and Templates Kit for ElementorCWE-79 7.2 High2026-05-05
CVE-2026-5294 GeekyBot <= 1.2.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation via 'geekybot_frontendajax' AJAX Action — GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt ContentCWE-862 9.8 Critical2026-05-05
CVE-2026-3456 GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation <= 1.2.0 - Unauthenticated SQL Injection via 'attributekey' — GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt ContentCWE-89 7.5 High2026-05-05
CVE-2026-35228 Oracle MCP Server Helper Tool SQL注入漏洞 — Oracle MCP Server Helper Tool product of Oracle Open Source Projects 8.7 High2026-05-05
CVE-2026-6704 Blog Settings <= 1.0 - Reflected Cross-Site Scripting via 'page' Parameter — Blog SettingsCWE-79 6.1 Medium2026-05-05
CVE-2026-6700 DX Sources <= 2.0.1 - Cross-Site Request Forgery to Settings Update — DX SourcesCWE-352 4.3 Medium2026-05-05
CVE-2026-6702 Publish 2 Ping.fm <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'wpPingPingKey' Parameter — Publish 2 Ping.fmCWE-352 6.1 Medium2026-05-05
CVE-2026-4409 Subscribe To Comments Reloaded <= 240119 - Improper Authorization to Unauthenticated Arbitrary Subscription Management — Subscribe To Comments ReloadedCWE-200 6.5 Medium2026-05-05
CVE-2026-5100 AWP Classifieds <= 4.4.5 - Unauthenticated SQL Injection via 'regions' — AWP ClassifiedsCWE-89 7.5 High2026-05-05
CVE-2026-6696 Zingaya Click-to-Call <= 1.0 - Reflected Cross-Site Scripting via 'email' Parameter — Zingaya Click-to-CallCWE-79 6.1 Medium2026-05-05
CVE-2025-13618 Mentoring <= 1.2.8 - Unauthenticated Privilege Escalation in mentoring_process_registration — MentoringCWE-269 9.8 Critical2026-05-05
CVE-2026-6701 addfreespace <= 0.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Page — addfreespaceCWE-352 4.3 Medium2026-05-05
CVE-2026-5722 MoreConvert Pro <= 1.9.14 - Authentication Bypass via Waitlist Guest Verification Token Reuse — MoreConvert ProCWE-287 9.8 Critical2026-05-05
CVE-2026-43002 OpenStack Horizon 安全漏洞 — HorizonCWE-696 5.3 Medium2026-05-05
CVE-2026-36356 MeiG FORGE_SLT711 操作系统命令注入漏洞 — n/a 9.8 -2026-05-05
CVE-2026-42238 Unauthenticated Remote Code Execution via Backup Restore in nginx-ui — nginx-uiCWE-94 9.8 -2026-05-04
CVE-2026-42222 nginx-ui: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover — nginx-uiCWE-306 8.1 High2026-05-04
CVE-2026-42221 nginx-ui: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim — nginx-uiCWE-306 8.1 High2026-05-04
CVE-2026-41927 WDR201A WiFi Extender Stack-Based Buffer Overflow via firewall.cgi — WDR201A WiFi ExtenderCWE-121 9.8 -2026-05-04
CVE-2026-41925 WDR201A WiFi Extender OS Command Injection via adm.cgi (reboot_time) — WDR201A WiFi ExtenderCWE-78 9.8 -2026-05-04
CVE-2026-7768 @fastify/accepts-serializer vulnerable to Denial of Service via Unbounded Accept Header Cache Growth — @fastify/accepts-serializerCWE-770 7.5 High2026-05-04
CVE-2026-41924 WDR201A WiFi Extender OS Command Injection via makeRequest.cgi — WDR201A WiFi ExtenderCWE-78 9.8 -2026-05-04
CVE-2026-41923 WDR201A WiFi Extender OS Command Injection via internet.cgi — WDR201A WiFi ExtenderCWE-78 9.8 -2026-05-04
CVE-2026-41922 WDR201A WiFi Extender OS Command Injection via wireless.cgi — WDR201A WiFi ExtenderCWE-78 9.8 -2026-05-04
CVE-2026-42236 n8n: Unauthenticated Denial of Service via MCP Client Registration — n8nCWE-770 7.5 -2026-05-04

Vulnerabilities classified as access:pre-auth represent 19065 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.