Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

access:pre-auth — CVE vulnerabilities tagged 20978

20978 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2018-25187 Tina4 Stack 1.0.3 SQL Injection and Database File Download — Tina4 StackCWE-89 8.2 High2026-03-06
CVE-2018-25188 Webiness Inventory 2.3 SQL Injection via WsModelGrid.php — Webiness InventoryCWE-89 8.2 High2026-03-06
CVE-2018-25186 Tina4 Stack 1.0.3 Cross-Site Request Forgery via profile — Tina4 StackCWE-352 5.3 Medium2026-03-06
CVE-2018-25184 Surreal ToDo 0.6.1.2 Local File Inclusion via index.php — Surreal ToDoCWE-22 6.2 Medium2026-03-06
CVE-2018-25181 Musicco 2.0.0 Arbitrary Directory Download via Path Traversal — MusiccoCWE-22 7.5 High2026-03-06
CVE-2018-25182 Silurus Classifieds Script 2.0 SQL Injection via wcategory.php — Silurus Classifieds ScriptCWE-89 8.2 High2026-03-06
CVE-2018-25179 Gumbo CMS 0.99 SQL Injection via settings endpoint — Gumbo CMSCWE-89 8.2 High2026-03-06
CVE-2018-25178 Easyndexer 1.0 Arbitrary File Download via showtif.php — EasyndexerCWE-22 7.5 High2026-03-06
CVE-2018-25176 Alive Parish 2.0.4 SQL Injection and Arbitrary File Upload — Alive ParishCWE-352 8.2 High2026-03-06
CVE-2018-25177 Data Center Audit 2.6.2 Cross-Site Request Forgery via dca_resetpw.php — Data Center AuditCWE-352 5.3 Medium2026-03-06
CVE-2018-25175 Alienor Web Libre 2.0 SQL Injection via index.php — Alienor Web LibreCWE-89 8.2 High2026-03-06
CVE-2018-25174 ABC ERP 0.6.4 Cross-Site Request Forgery via _configurar_perfil.php — ABC ERPCWE-352 5.3 Medium2026-03-06
CVE-2018-25173 Rmedia SMS 1.0 SQL Injection via editgrp.php — Rmedia SMSCWE-89 8.2 High2026-03-06
CVE-2018-25172 Pedidos 1.0 SQL Injection via load_proveedores.php — PedidosCWE-89 8.2 High2026-03-06
CVE-2018-25170 DoceboLMS 1.2 SQL Injection via lesson.php — DoceboLMSCWE-352 8.2 High2026-03-06
CVE-2018-25171 EdTv 2 SQL Injection via id Parameter — EdTvCWE-434 8.2 High2026-03-06
CVE-2018-25168 Precurio Intranet Portal 2.0 Cross-Site Request Forgery Add Admin — Precurio Intranet PortalCWE-434 4.3 Medium2026-03-06
CVE-2018-25167 Net-Billetterie 2.9 SQL Injection via login.inc.php — BilletterieCWE-89 8.2 High2026-03-06
CVE-2018-25166 Meneame English Pligg 5.8 SQL Injection via search Parameter — Meneame English PliggCWE-89 8.2 High2026-03-06
CVE-2018-25163 BitZoom 1.0 SQL Injection via rollno Parameter — BitZoomCWE-89 8.2 High2026-03-06
CVE-2018-25164 EverSync 0.5 Arbitrary File Download via files Directory — EverSyncCWE-552 7.5 High2026-03-06
CVE-2026-3589 WooCommerce < 10.5.3 - Arbitrary Admin User Creation via CSRF — WooCommerce 8.8 -2026-03-06
CVE-2026-2331 CVE-2026-2331 — SICK Lector85xCWE-552 9.8 Critical2026-03-06
CVE-2026-2330 CVE-2026-2330 — SICK Lector85xCWE-552 9.4 Critical2026-03-06
CVE-2026-2830 WP All Import <= 4.0.0 - Reflected Cross-Site Scripting via 'filepath' — WP All Import – Drag & Drop Import for CSV, XML, Excel & Google SheetsCWE-94 6.1 Medium2026-03-06
CVE-2026-29183 SiYuan: Unauthenticated reflected SVG XSS in `/api/icon/getDynamicIcon` (`type=8`) enables arbitrary JavaScript execution — siyuanCWE-79 9.3 Critical2026-03-06
CVE-2026-29059 Windmill: SUPERADMIN_SECRET (rarely used) can be accessed publicly — windmillCWE-22 7.5 -2026-03-06
CVE-2026-29058 AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php — AVideo-EncoderCWE-78 9.8 Critical2026-03-06
CVE-2026-2446 Powerpack for LearnDash < 1.3.0 - Unauthenticated Arbitrary Option Update — PowerPack for LearnDash 9.8 -2026-03-06
CVE-2026-28794 oRPC: Prototype Pollution in `@orpc/client` via `StandardRPCJsonSerializer` Deserialization — orpcCWE-1321 9.8 -2026-03-06

Vulnerabilities classified as access:pre-auth represent 20978 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.