Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

access:pre-auth — CVE vulnerabilities tagged 20998

20998 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-27179 MajorDoMo Unauthenticated SQL Injection in Commands Module — MajorDoMoCWE-89 8.2 High2026-02-18
CVE-2026-27177 MajorDoMo Stored Cross-Site Scripting via Property Set Endpoint — MajorDoMoCWE-79 7.2 High2026-02-18
CVE-2026-27178 MajorDoMo Stored Cross-Site Scripting via Method Parameters to Shoutbox — MajorDoMoCWE-79 7.2 High2026-02-18
CVE-2026-27175 MajorDoMo Command Injection in rc/index.php via Race Condition — MajorDoMoCWE-78 9.8 Critical2026-02-18
CVE-2026-27174 MajorDoMo Unauthenticated Remote Code Execution via Admin Console Eval — MajorDoMoCWE-94 9.8 Critical2026-02-18
CVE-2026-27182 Saturn Remote Mouse Server UDP Command Injection RCE — Saturn Remote Mouse ServerCWE-306 8.4 High2026-02-18
CVE-2026-23491 InvoicePlane has Unauthenticated Path Traversal in Guest Controller — InvoicePlaneCWE-22 7.5 -2026-02-18
CVE-2026-1404 Ultimate Member <= 2.11.1 - Reflected Cross-Site Scripting via Filter Parameters — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginCWE-79 6.1 Medium2026-02-18
CVE-2026-2329 Grandstream GXP1600 VoIP Phones - Unauthenticated stack buffer overflow — GXP1610CWE-121 9.8 -2026-02-18
CVE-2026-2464 Directory Traversal in AMR Printer Management by AMR — AMR Printer Management Beta web serviceCWE-22 7.5AIHighAI2026-02-18
CVE-2026-1582 WP All Export <= 1.4.14 - Unauthenticated Sensitive Information Exposure via PHP Type Juggling — WP All Export – Drag & Drop Export to Any Custom CSV, XML & ExcelCWE-200 3.7 Low2026-02-18
CVE-2025-14799 Brevo - Email, SMS, Web Push, Chat, and more. <= 3.3.0 - Unauthenticated Authorization Bypass via Type Juggling — Brevo – Email, SMS, Web Push, Chat, and more.CWE-843 6.5 Medium2026-02-18
CVE-2025-14444 RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.6.9 - Unauthenticated Payment Bypass via rm_process_paypal_sdk_payment — RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User LoginCWE-345 5.3 Medium2026-02-18
CVE-2026-2126 User Submitted Posts <= 20260113 - Incorrect Authorization to Unauthenticated Category Restriction Bypass via 'user-submitted-category' Parameter — User Submitted Posts – Enable Users to Submit Posts from the Front EndCWE-863 5.3 Medium2026-02-18
CVE-2026-1656 Business Directory Plugin <= 6.4.20 - Missing Authorization to Unauthenticated Arbitrary Listing Modification — Business Directory Plugin – Easy Listing Directories for WordPressCWE-862 5.3 Medium2026-02-18
CVE-2026-2495 WPNakama <= 0.6.5 - Unauthenticated SQL Injection via 'order' REST API Parameter — WPNakama – Team and multi-Client Collaboration, Editorial and Project ManagementCWE-89 7.5 High2026-02-18
CVE-2026-2112 Dam Spam <= 1.0.8 - Cross-Site Request Forgery to Arbitrary Pending Comment Deletion — Dam SpamCWE-352 4.3 Medium2026-02-18
CVE-2026-1666 Download Manager <= 3.3.46 - Reflected Cross-Site Scripting via 'redirect_to' Parameter — Download ManagerCWE-79 6.1 Medium2026-02-18
CVE-2026-1368 Video Conferencing with Zoom API < 4.6.6 - Unauthenticated SDK Signature Generation — Video Conferencing with Zoom 7.5AIHighAI2026-02-18
CVE-2026-1072 Keybase.io Verification <= 1.4.5 - Cross-Site Request Forgery to Settings Update — Keybase.io VerificationCWE-352 4.3 Medium2026-02-18
CVE-2026-2023 WP Plugin Info Card <= 6.2.0 - Cross-Site Request Forgery to Arbitrary Custom Plugin Entry Creation — WP Plugin Info CardCWE-352 4.3 Medium2026-02-18
CVE-2026-1714 ShopLentor <= 3.3.2 - Unauthenticated Email Relay Abuse via 'woolentor_suggest_price_action' AJAX Action — ShopLentor – All-in-One WooCommerce Growth & Store Enhancement PluginCWE-93 8.6 High2026-02-18
CVE-2026-2576 Business Directory Plugin <= 6.4.21 - Unauthenticated SQL Injection via payment Parameter — Business Directory Plugin – Easy Listing Directories for WordPressCWE-89 7.5 High2026-02-18
CVE-2026-1277 URL Shortify <= 1.12.1 - Unauthenticated Open Redirect via 'redirect_to' Parameter — URL Shortify – Simple and Easy URL ShortenerCWE-601 4.7 Medium2026-02-18
CVE-2026-1296 Frontend Post Submission Manager Lite <= 1.2.7 - Unauthenticated Open Redirect via 'requested_page' Parameter — Frontend Post Submission Manager Lite – Frontend Posting WordPress PluginCWE-601 6.1 Medium2026-02-18
CVE-2026-1931 Rent Fetch <= 0.32.4 - Unauthenticated Stored Cross-Site Scripting via 'keyword' Parameter — Rent FetchCWE-79 7.2 High2026-02-18
CVE-2025-12074 Context Blog <= 1.2.5 - Unauthenticated Private Post Disclosure — Context BlogCWE-200 5.3 Medium2026-02-18
CVE-2025-70141 SourceCodester Customer Support System 安全漏洞 — n/a 9.8AICriticalAI2026-02-18
CVE-2025-70148 CodeAstro Membership Management System 安全漏洞 — n/a 7.5 High2026-02-18
CVE-2025-70150 CodeAstro Membership Management System 安全漏洞 — n/a 9.8 Critical2026-02-18

Vulnerabilities classified as access:pre-auth represent 20998 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.