Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 20217

20217 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-34723 Zammad has incorrect access control in getting_started_controller — zammadCWE-284 7.5AIHighAI2026-04-08
CVE-2026-0811 Advanced CF7 DB <= 2.0.9 - Cross-Site Request Forgery to Form Entry Deletion — Advanced Contact form 7 DBCWE-352 5.4 Medium2026-04-08
CVE-2026-2942 ProSolution WP Client <= 1.9.9 - Unauthenticated Arbitrary File Upload via proSol_fileUploadProcess — ProSolution WP ClientCWE-434 9.8 Critical2026-04-08
CVE-2026-33756 Saleor Affected by Denial of Service via Unbounded GraphQL Query Batching — saleorCWE-770 7.5 High2026-04-08
CVE-2025-14243 Mirror-registry: openshift mirror registry: user enumeration via authentication error messages — mirror registry for Red Hat OpenShiftCWE-209 5.3 Medium2026-04-08
CVE-2026-39393 Post-Installation Re-entry via Cache-Dependent Install Guard Bypass in ci4ms — ci4msCWE-306 8.1 High2026-04-08
CVE-2026-39390 CI4MS has Stored XSS via srcdoc attribute bypass in Google Maps iframe setting — ci4msCWE-79 5.5 Medium2026-04-08
CVE-2026-5302 Permissive Cross-domain Policy with Untrusted Domains in coolercontrold — coolercontroldCWE-942 6.3 Medium2026-04-08
CVE-2026-5300 Missing Authentication for Critical Function in coolercontrold — coolercontroldCWE-306 5.9 Medium2026-04-08
CVE-2026-5301 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in coolercontrol-ui — coolercontrol-uiCWE-79 7.6 High2026-04-08
CVE-2026-1672 BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery to Product Data Modification — BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.NetCWE-352 6.5 Medium2026-04-08
CVE-2026-3396 WCAPF – WooCommerce Ajax Product Filter <= 4.2.3 - Unauthenticated Time-Based SQL Injection — WCAPF – Ajax Product Filter for WooCommerceCWE-89 7.5 High2026-04-08
CVE-2026-1673 BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery to Taxonomy Term Deletion — BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.NetCWE-352 4.3 Medium2026-04-08
CVE-2026-4141 Quran Translations <= 1.7 - Cross-Site Request Forgery to Playlist Settings Form — Quran TranslationsCWE-352 4.3 Medium2026-04-08
CVE-2026-5167 Masteriyo LMS <= 2.1.7 - Unauthenticated Authorization Bypass to Arbitrary Order Completion via Stripe Webhook Endpoint — Masteriyo LMS – Online Course Builder for eLearning, LMS & EducationCWE-639 5.3 Medium2026-04-08
CVE-2026-3535 DSGVO Google Web Fonts GDPR <= 1.1 - Unauthenticated Arbitrary File Upload via 'fonturl' Parameter — DSGVO Google Web Fonts GDPRCWE-434 9.8 Critical2026-04-08
CVE-2026-3594 Riaxe Product Customizer <= 2.4 - Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint — Riaxe Product CustomizerCWE-200 5.3 Medium2026-04-08
CVE-2026-4338 ActivityPub Routing < 8.0.2 - Unauthenticated Drafts/Scheduled/Pending Posts Disclosure — ActivityPub 5.3AIMediumAI2026-04-08
CVE-2026-3646 LTL Freight Quotes – R+L Carriers Edition <= 3.3.13 - Missing Authorization to Unauthenticated Settings Update — LTL Freight Quotes – R+L Carriers EditionCWE-862 5.3 Medium2026-04-08
CVE-2026-4003 Users manager – PN <= 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via 'userspn_form_save' AJAX Action — Users manager – PNCWE-862 9.8 Critical2026-04-08
CVE-2026-3296 Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata — Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form BuilderCWE-502 9.8 Critical2026-04-08
CVE-2026-3499 Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce 13.4.6 - 13.5.2.1 - Cross-Site Request Forgery to Multiple Administrative Actions — Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerceCWE-352 8.8 High2026-04-08
CVE-2026-4394 Gravity Forms <= 2.9.30 - Unauthenticated Stored Cross-Site Scripting via Credit Card 'Card Type' Sub-Field — Gravity FormsCWE-79 6.1 Medium2026-04-07
CVE-2026-4406 Gravity Forms <= 2.9.30 - Reflected Cross-Site Scripting via 'form_ids' Parameter — Gravity FormsCWE-79 4.7 Medium2026-04-07
CVE-2026-4401 Download Monitor <= 5.1.10 - Cross-Site Request Forgery to Download Path Deletion and Disabling — Download MonitorCWE-352 5.4 Medium2026-04-07
CVE-2026-2263 Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.10.2 - Missing Authorization to Unauthenticated Conversion Tracking Data Manipulation — Hustle – Email Marketing, Lead Generation, Optins, PopupsCWE-862 5.3 Medium2026-04-07
CVE-2026-34045 Podman Desktop WebView Server Exposed — podman-desktopCWE-209 8.2 High2026-04-07
CVE-2026-33439 Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM — OpenAMCWE-502 9.8AICriticalAI2026-04-07
CVE-2026-39373 JWCrypto: JWE ZIP decompression bomb — jwcryptoCWE-409 5.3 Medium2026-04-07
CVE-2026-39367 WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page — AVideoCWE-79 5.4 Medium2026-04-07

Vulnerabilities classified as access:pre-auth represent 20217 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.