Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19065

19065 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-41426 pretalx: Email injection via unescaped user-controlled placeholders in pretalx mail templates — pretalxCWE-79 6.1 Medium2026-04-24
CVE-2026-41492 Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars in Dgraph — dgraphCWE-200 9.8 Critical2026-04-24
CVE-2026-41327 Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field — dgraphCWE-943 9.1 Critical2026-04-24
CVE-2026-41328 Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field — dgraphCWE-943 9.1 Critical2026-04-24
CVE-2026-41680 Marked: OOM Denial of Service via Infinite Recursion in marked Tokenizer — markedCWE-400 7.5AIHighAI2026-04-24
CVE-2026-6911 Authentication Bypass via Missing JWT Signature Verification in AWS Ops Wheel — AWS Ops WheelCWE-347 9.8 Critical2026-04-24
CVE-2026-39920 BridgeHead FileStore < 24A Apache Axis2 Default Credentials RCE — FileStoreCWE-1188 9.8 Critical2026-04-24
CVE-2026-6043 Insecure Default Configuration in P4 Server — Helix Core Server (P4D)CWE-1188 9.8AICriticalAI2026-04-24
CVE-2026-3569 Liaison Site Prober <= 1.2.1 - Missing Authorization to Unauthenticated Information Exposure in '/logs' REST API Endpoint — Liaison Site ProberCWE-862 5.3 Medium2026-04-24
CVE-2026-3565 Taqnix <= 1.0.3 - Cross-Site Request Forgery to Account Deletion via 'taqnix_delete_my_account' AJAX Action — TaqnixCWE-352 4.3 Medium2026-04-24
CVE-2026-5347 WP Books Gallery <= 4.8.0 - Missing Authorization to Unauthenticated Settings Update via 'permalink_structure' Parameter — WP Books Gallery – Build Stunning Book Showcases & Libraries in MinutesCWE-862 5.3 Medium2026-04-24
CVE-2026-5364 Drag and Drop File Upload for Contact Form 7 <= 1.1.3 - Unauthenticated Arbitrary File Upload via sanitize_file_name Bypass — Drag and Drop File Upload for Contact Form 7CWE-434 8.1 High2026-04-24
CVE-2026-6947 D-Link|DWM-222W USB Wi-Fi Adapter - Brute-Force Protection Bypass — DWM-222WCWE-307 7.5 High2026-04-24
CVE-2026-25775 SenseLive X3050 Missing authentication for critical function — X3050CWE-306 9.8 Critical2026-04-24
CVE-2026-35064 SenseLive X3050 Missing authentication for critical function — X3050CWE-306 7.5 High2026-04-24
CVE-2026-30368 Lightspeed Classroom 安全漏洞 — Lightspeed ClassroomCWE-863 5.4 Medium2026-04-24
CVE-2026-41343 OpenClaw < 2026.3.31 - Denial of Service via LINE Webhook Handler Pre-Auth Concurrency — OpenClawCWE-799 5.3 Medium2026-04-23
CVE-2026-41342 OpenClaw < 2026.3.28 - Unauthenticated Discovery Endpoint Credential Exfiltration via Remote Onboarding — OpenClawCWE-346 7.3 High2026-04-23
CVE-2026-28525 SWUpdate Integer Underflow in Multipart Upload Parser — swupdateCWE-191 6.8 Medium2026-04-23
CVE-2026-6376 Missing authentication for critical function in SpiceJet Online Booking System — Online Booking SystemCWE-306 5.3AIMediumAI2026-04-23
CVE-2026-6375 Authorization bypass through User-Controlled key in SpiceJet Online Booking System — Online Booking SystemCWE-639 5.3AIMediumAI2026-04-23
CVE-2026-41264 Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability — FlowiseCWE-184 9.8AICriticalAI2026-04-23
CVE-2026-41265 Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability — FlowiseCWE-77 9.6AICriticalAI2026-04-23
CVE-2026-41279 Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials — FlowiseCWE-639 8.2AIHighAI2026-04-23
CVE-2026-25874 LeRobot Unsafe Deserialization Remote Code Execution via gRPC — LeRobotCWE-502 9.8AICriticalAI2026-04-23
CVE-2026-41273 Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow — FlowiseCWE-306 7.5AIHighAI2026-04-23
CVE-2026-41271 Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains — FlowiseCWE-918 8.6AIHighAI2026-04-23
CVE-2026-41268 Flowise: Flowise Parameter Override Bypass Remote Command Execution — FlowiseCWE-20 9.8AICriticalAI2026-04-23
CVE-2026-41267 Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association — FlowiseCWE-639 8.1 High2026-04-23
CVE-2026-6074 Path traversal: '.../...//' in Intrado 911 Emergency Gateway (EGW) — 911 Emergency GatewayCWE-35 9.8AICriticalAI2026-04-23

Vulnerabilities classified as access:pre-auth represent 19065 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.