Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19065

19065 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-6433 Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection to RCE — Custom css-js-php 9.8AICriticalAI2026-05-11
CVE-2021-47946 OpenCart 3.0.36 Account Takeover via Cross Site Request Forgery — OpenCartCWE-352 5.3 Medium2026-05-10
CVE-2021-47941 WordPress Plugin Survey & Poll 1.5.7.3 SQL Injection via sss_params — Survey & PollCWE-89 8.2 High2026-05-10
CVE-2021-47940 WordPress Download From Files 1.48 Arbitrary File Upload — Download From FilesCWE-306 9.8 Critical2026-05-10
CVE-2021-47936 OpenCATS 0.9.4 Remote Code Execution via Resume Upload — OpenCATSCWE-306 9.8 Critical2026-05-10
CVE-2021-47933 WordPress MStore API 2.0.6 Arbitrary File Upload — MStore APICWE-306 9.8 Critical2026-05-10
CVE-2021-47932 WordPress TheCartPress 1.5.3.6 Privilege Escalation Unauthenticated — TheCartPressCWE-862 9.8 Critical2026-05-10
CVE-2021-47930 Balbooa Joomla Forms Builder 2.0.6 SQL Injection Unauthenticated — Balbooa Joomla Forms BuilderCWE-89 8.2 High2026-05-10
CVE-2021-47928 Opencart TMD Vendor System 3.x Blind SQL Injection via product route — Extension TMD Vendor SystemCWE-89 8.2 High2026-05-10
CVE-2022-50959 WordPress Contact Form Builder 1.6.1 Cross-Site Scripting via code_generator.php — Contact Form BuilderCWE-79 6.1 Medium2026-05-10
CVE-2022-50958 WordPress Plugin Jetpack 9.1 Cross Site Scripting via grunion-form-view.php — JetpackCWE-79 6.1 Medium2026-05-10
CVE-2022-50957 Drupal avatar_uploader 7.x-1.0-beta8 Reflected XSS — avatar_uploaderCWE-79 6.1 Medium2026-05-10
CVE-2022-50956 WordPress Plugin amministrazione-aperta 3.7.3 Local File Read — amministrazione-apertaCWE-22 6.2 Medium2026-05-10
CVE-2022-50954 WordPress Plugin cab-fare-calculator 1.0.3 Local File Inclusion — cab-fare-calculatorCWE-98 6.2 Medium2026-05-10
CVE-2022-50943 Moodle LMS 4.0 Cross-Site Scripting via course search.php — Moodle LMSCWE-79 6.1 Medium2026-05-10
CVE-2026-7262 NULL pointer dereference in SOAP apache:Map decoder with missing <value> — PHPCWE-476 7.5AIHighAI2026-05-10
CVE-2026-42606 AzuraCast: Password Reset Poisoning via Untrusted X-Forwarded-Host Header Leads to Account Takeover and 2FA Bypass — AzuraCastCWE-640 8.1 High2026-05-09
CVE-2026-42569 phpvms: /importer authorization bypass causing full database wipe — phpvmsCWE-284 9.4 Critical2026-05-09
CVE-2026-8198 Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity <= 3.3.6 - Unauthenticated Information Disclosure via REST API — Activity Logs, User Activity Tracking, Multisite Activity Log from LogtivityCWE-200 5.3 Medium2026-05-09
CVE-2026-1749 海康威视HikCentral Professional未授权获取管理员权限漏洞 — HikCentral Professional 6.8 Medium2026-05-09
CVE-2026-42461 Arcane Vulnerable to Unauthenticated Disclosure of Custom Compose Template Content (incl. `.env` secrets) — arcaneCWE-862 7.5AIHighAI2026-05-09
CVE-2026-7652 LatePoint <= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-640 5.3 Medium2026-05-09
CVE-2026-6664 PgBouncer integer overflow in PgBouncer network packet parsing — PgBouncerCWE-190 7.5 High2026-05-09
CVE-2026-42351 pygeoapi: Path Traversal in STAC FileSystemProvider — pygeoapiCWE-22 7.5 High2026-05-08
CVE-2026-42298 Postiz: Arbitrary Code Execution and Token Exfiltration in pr-docker-build.yml via untrusted Dockerfile.dev — postiz-appCWE-94 10.0 Critical2026-05-08
CVE-2026-41432 New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud — new-apiCWE-345 7.1 High2026-05-08
CVE-2026-44286 FastGPT: SSRF Vulnerability in Laf Workflow Node via Missing Internal Address Validation — FastGPTCWE-918 8.1AIHighAI2026-05-08
CVE-2026-42302 FastGPT: Unauthenticated Remote Code Execution (RCE) via code-server Misconfiguration in agent-sandbox — FastGPTCWE-306 9.8 Critical2026-05-08
CVE-2026-42193 Plunk: SNS webhook forgery — plunkCWE-347 9.1 Critical2026-05-08
CVE-2026-42282 n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode — n8n-mcpCWE-532 4.3 Medium2026-05-08

Vulnerabilities classified as access:pre-auth represent 19065 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.