Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19065

19065 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-42235 n8n: XSS via MCP OAuth client — n8nCWE-87 8.8 -2026-05-04
CVE-2026-25863 Conditional Fields for Contact Form 7 < 2.7.3 DoS via Uncontrolled Resource Consumption — Conditional Fields for Contact Form 7CWE-1284 7.5 High2026-05-04
CVE-2026-42230 n8n: Open Redirect in MCP OAuth Consent Flow — n8nCWE-601 6.1 -2026-05-04
CVE-2026-42228 n8n: Hijacking of Unauthenticated Chat Execution — n8nCWE-862 8.6 -2026-05-04
CVE-2026-42154 Prometheus: remote read endpoint allows denial of service via crafted snappy payload — prometheusCWE-400 7.5 High2026-05-04
CVE-2026-41572 Note Mark: Unauthenticated read of notes and assets in soft-deleted public books — note-markCWE-285 5.3 Medium2026-05-04
CVE-2026-41571 Note Mark: OIDC-registered users authenticated by submitting password "null" — note-markCWE-287 9.4 Critical2026-05-04
CVE-2026-41471 Easy PayPal Events & Tickets 1.3 Information Disclosure via QR Code Endpoint — easy-paypal-events-ticketsCWE-639 7.5 High2026-05-04
CVE-2026-32834 Easy PayPal Events & Tickets 1.3 Authentication Bypass via QR Code Scanning — easy-paypal-events-ticketsCWE-798 7.5 High2026-05-04
CVE-2026-42138 Dify Vulnerable to Stored XSS via SVG-file upload — difyCWE-79 6.1 -2026-05-04
CVE-2026-42796 Arelle < 2.39.10 Unauthenticated RCE via /rest/configure — ArelleCWE-306 9.8 Critical2026-05-04
CVE-2026-42376 D-Link DIR-456U A1 Hardcoded Telnet Backdoor Credentials — DIR-456U FirmwareCWE-798 9.8 Critical2026-05-04
CVE-2026-42375 D-Link DIR-600L A1 Hardcoded Telnet Backdoor Credentials — DIR-600L FirmwareCWE-798 9.8 Critical2026-05-04
CVE-2026-42374 D-Link DIR-600L B1 Hardcoded Telnet Backdoor Credentials — DIR-600L FirmwareCWE-798 9.8 Critical2026-05-04
CVE-2026-42373 D-Link DIR-605L B2 Hardcoded Telnet Backdoor Credentials — DIR-605L FirmwareCWE-798 9.8 Critical2026-05-04
CVE-2026-42372 D-Link DIR-605L A1 Hardcoded Telnet Backdoor Credentials — DIR-605L FirmwareCWE-798 8.8 High2026-05-04
CVE-2026-33007 Apache HTTP Server: mod_authn_socache crash — Apache HTTP ServerCWE-476 7.5 -2026-05-04
CVE-2026-7482 Ollama heap out-of-bounds read in GGUF tensor parsing leaks server process memory to unauthenticated remote attackers — ollamaCWE-125 9.1 Critical2026-05-04
CVE-2026-33846 Gnutls: gnutls: denial of service via heap buffer overflow in dtls handshake fragment reassembly — Red Hat Hardened ImagesCWE-130 7.5 High2026-05-04
CVE-2026-42370 GeoVision GV-VMS V20 WebCam Server Login stack overflow vulnerability — GV-VMS V20.0.2CWE-787 9.0 Critical2026-05-04
CVE-2026-7372 GeoVision GV-VMS V20 WebCam Server Login stack overflow vulnerability — GV-VMS V20.0.2CWE-787 9.0 Critical2026-05-04
CVE-2026-5063 NEX-Forms <= 9.1.11 - Unauthenticated Stored Cross-Site Scripting via POST Parameter Key Names — NEX-Forms – Ultimate Forms Plugin for WordPressCWE-79 7.2 High2026-05-03
CVE-2026-3504 Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 4.3.1 - Unauthenticated Information Disclosure in Store Reviews REST API Endpoint — Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, EtsyCWE-200 5.3 Medium2026-05-02
CVE-2026-6817 Quiz Maker by AYS <= 6.7.1.29 - Unauthenticated Stored Cross-Site Scripting via 'rate_reason' — Quiz Maker by AYSCWE-79 5.8 Medium2026-05-02
CVE-2026-6320 Salon Booking System – Free Version <= 10.30.25 - Unauthenticated Arbitrary File Read via Booking File Field Path Traversal — Salon Booking System – Free VersionCWE-22 7.5 High2026-05-02
CVE-2026-4061 Geo Mashup <= 1.13.18 - Unauthenticated Time-Based SQL Injection via 'map_post_type' Parameter — Geo MashupCWE-89 7.5 High2026-05-02
CVE-2026-4062 Geo Mashup <= 1.13.18 - Unauthenticated Time-Based SQL Injection via 'object_ids' Parameter — Geo MashupCWE-89 7.5 High2026-05-02
CVE-2026-4060 Geo Mashup <= 1.13.18 - Unauthenticated Time-Based SQL Injection via 'sort' Parameter — Geo MashupCWE-89 7.5 High2026-05-02
CVE-2026-4024 Royal Addons for Elementor <= 1.7.1056 - Missing Authorization to Unauthenticated Form Action Meta Modification — Royal Addons for Elementor – Addons and Templates Kit for ElementorCWE-862 5.3 Medium2026-05-02
CVE-2026-5324 Brizy – Page Builder <= 2.8.11 - Unauthenticated Stored Cross-Site Scripting via FileUpload Field Value — Brizy – Page BuilderCWE-79 7.2 High2026-05-02

Vulnerabilities classified as access:pre-auth represent 19065 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.