Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19065

19065 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-4138 DX Unanswered Comments <= 1.7 - Cross-Site Request Forgery via Settings Update — DX Unanswered CommentsCWE-352 4.3 Medium2026-04-22
CVE-2026-6294 Google PageRank Display <= 1.4 - Cross-Site Request Forgery to Settings Update via Settings Page — Google PageRank DisplayCWE-352 4.3 Medium2026-04-22
CVE-2026-4121 Kcaptcha <= 1.0.1 - Cross-Site Request Forgery to Settings Update — KcaptchaCWE-352 4.3 Medium2026-04-22
CVE-2026-4090 Inquiry cart <= 3.4.2 - Cross-Site Request Forgery via Settings Form — Inquiry cartCWE-352 6.1 Medium2026-04-22
CVE-2026-6235 Sendmachine for WordPress <= 1.0.20 - Unauthenticated SMTP Hijack to Privilege Escalation via manage_admin_requests — Sendmachine for WordPressCWE-862 9.8 Critical2026-04-22
CVE-2026-4118 Call To Action Plugin <= 3.1.3 - Cross-Site Request Forgery via Settings Update — Call To Action PluginCWE-352 4.3 Medium2026-04-22
CVE-2026-4139 mCatFilter <= 0.5.2 - Cross-Site Request Forgery via compute_post() Function — mCatFilterCWE-352 4.3 Medium2026-04-22
CVE-2026-4140 Ni WooCommerce Order Export <= 3.1.6 - Cross-Site Request Forgery to Settings Update via ni_order_export_action AJAX Action — Ni WooCommerce Order ExportCWE-352 4.3 Medium2026-04-22
CVE-2026-6396 Fast & Fancy Filter – 3F <= 1.2.2 - Cross-Site Request Forgery to Settings Modification via fff_save_settins AJAX Action — Fast & Fancy Filter – 3FCWE-352 4.3 Medium2026-04-22
CVE-2026-4133 TextP2P Texting Widget <= 1.7 - Cross-Site Request Forgery to Settings Update — TextP2P Texting WidgetCWE-352 4.3 Medium2026-04-22
CVE-2026-4131 WP Responsive Popup + Optin <= 1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'wpo_image_url' Parameter — WP Responsive Popup + OptinCWE-352 6.1 Medium2026-04-22
CVE-2026-6835 aEnrich|a+HCM - Arbitrary File Upload — a+HCMCWE-434 6.1 Medium2026-04-22
CVE-2026-41458 OwnTone Server < 29.1 Race Condition DoS via DAAP Login — owntone-serverCWE-362 5.9AIMediumAI2026-04-22
CVE-2026-41135 free5GC PCF: Memory Leak via CORS Middleware Registration in HTTP Handler Leads to Denial of Service — pcfCWE-400 7.5 High2026-04-21
CVE-2026-41130 Craft CMS has a host header injection leading to SSRF via resource-js endpoint — cmsCWE-918 10.0AICriticalAI2026-04-21
CVE-2026-40575 OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing — oauth2-proxyCWE-290 9.1 Critical2026-04-21
CVE-2026-41059 OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex — oauth2-proxyCWE-288 8.2 High2026-04-21
CVE-2026-40935 WWBN/AVideo has CAPTCHA Bypass via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure — AVideoCWE-804 5.3 Medium2026-04-21
CVE-2026-5921 Server-Side Request Forgery in GitHub Enterprise Server allowed extraction of sensitive environment variables via timing side-channel attack — Enterprise ServerCWE-918 7.5AIHighAI2026-04-21
CVE-2026-35245 Oracle VM VirtualBox 安全漏洞 — Oracle VM VirtualBox 7.5 High2026-04-21
CVE-2026-35231 Oracle Financial Services Transaction Filtering 安全漏洞 — Oracle Financial Services Transaction Filtering 7.5 High2026-04-21
CVE-2026-35229 Oracle Database Server 安全漏洞 — Oracle Database Server 7.5 High2026-04-21
CVE-2026-34323 Oracle Life Sciences InForm 安全漏洞 — Oracle Life Sciences InForm 6.3 Medium2026-04-21
CVE-2026-34324 Oracle Life Sciences InForm 安全漏洞 — Oracle Life Sciences InForm 6.5 Medium2026-04-21
CVE-2026-34320 Oracle Financial Services Customer Screening 安全漏洞 — Oracle Financial Services Customer Screening 7.5 High2026-04-21
CVE-2026-34315 Oracle WebLogic Server 安全漏洞 — Oracle WebLogic Server 6.5 Medium2026-04-21
CVE-2026-34310 Oracle Financial Services Analytical Applications Infrastructure 安全漏洞 — Oracle Financial Services Analytical Applications Infrastructure 7.5 High2026-04-21
CVE-2026-34305 Oracle WebLogic Server 安全漏洞 — Oracle WebLogic Server 7.5 High2026-04-21
CVE-2026-34297 Oracle HCM Common Architecture 安全漏洞 — Oracle HCM Common Architecture 7.5 High2026-04-21
CVE-2026-34290 Oracle Identity Manager Connector 安全漏洞 — Oracle Identity Manager Connector 7.5 High2026-04-21

Vulnerabilities classified as access:pre-auth represent 19065 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.