Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19065

19065 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-39109 PHPGurukul Apartment Visitors Management System 安全漏洞 — n/a 7.5AIHighAI2026-04-20
CVE-2026-6571 kodcloud KodExplorer systemRole.class.php roleGroupAction authorization — KodExplorerCWE-639 6.3 Medium2026-04-19
CVE-2026-1838 Hostel <= 1.1.6 - Reflected Cross-Site Scripting via 'shortcode_id' Parameter — HostelCWE-79 6.1 Medium2026-04-18
CVE-2026-40485 ChurchCRM: Username Enumeration via Differential Response in Public Login API — CRMCWE-307 5.3 Medium2026-04-17
CVE-2026-2262 Easy Appointments <= 3.12.21 - Unauthenticated Sensitive Information Exposure via REST API — Easy AppointmentsCWE-200 7.5 High2026-04-17
CVE-2026-40481 monetr: Unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation — monetrCWE-400 7.5AIHighAI2026-04-17
CVE-2026-40478 Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf — thymeleafCWE-917 9.1 Critical2026-04-17
CVE-2026-40477 Improper restriction of the scope of accessible objects in Thymeleaf expressions — thymeleafCWE-917 9.1 Critical2026-04-17
CVE-2026-40321 DotNetNuke.Core has stored cross-site-scripting (XSS) via SVG upload — Dnn.PlatformCWE-87 8.1 High2026-04-17
CVE-2026-40351 FastGPT: NoSQL Injection in loginByPassword leads to Authentication Bypass — FastGPTCWE-943 9.8 Critical2026-04-17
CVE-2026-40303 zrok allows unauthenticated DoS via unbounded memory allocation in striped session cookie parsing — zrokCWE-400 7.5 High2026-04-17
CVE-2026-33689 xrdp: Pre-authentication out-of-bounds reads in channel parsers — xrdpCWE-125 8.2AIHighAI2026-04-17
CVE-2026-32624 xrdp: Heap buffer overflow in xrdp_sec_process_logon_info() via incorrect g_strncat length calculation — xrdpCWE-122 9.8AICriticalAI2026-04-17
CVE-2026-33516 xrdp: Pre-authentication out-of-bounds reads in RDP capability and channel parsers — xrdpCWE-125 9.1AICriticalAI2026-04-17
CVE-2026-40066 Anviz Products Download of Code Without Integrity Check — Anviz CX7 FirmwareCWE-494 8.8 High2026-04-17
CVE-2026-35546 Anviz Products Missing Authentication for Critical Function — Anviz CX7 FirmwareCWE-306 9.8 Critical2026-04-17
CVE-2026-40461 Anviz Products Missing Authentication for Critical Function — Anviz CX7 FirmwareCWE-306 7.5 High2026-04-17
CVE-2026-32648 Anviz Products Missing Authorization — Anviz CX7 FirmwareCWE-862 5.3 Medium2026-04-17
CVE-2026-32105 xrdp: RDP MAC signature (dataSignature) never verified on receive — integrity bypass in non-TLS mode — xrdpCWE-354 5.9AIMediumAI2026-04-17
CVE-2026-35061 Anviz Products Missing Authorization — Anviz CX7 FirmwareCWE-862 5.3 Medium2026-04-17
CVE-2026-33093 Anviz Products Missing Authorization — Anviz CX7 FirmwareCWE-862 5.3 Medium2026-04-17
CVE-2026-35215 Firebird: DoS via malicious slice descriptor in slice packet — firebirdCWE-369 7.5 High2026-04-17
CVE-2026-34232 Firebird: DoS via `op_response` packet from client — firebirdCWE-228 7.5 High2026-04-17
CVE-2026-33337 Firebird has a buffer overflow when parsing corrupted slice packets — firebirdCWE-120 7.5 High2026-04-17
CVE-2026-28224 Firebird Null Pointer Dereference via CryptCallback causes DOS — firebirdCWE-476 8.2 High2026-04-17
CVE-2026-27890 Firebird has Pre-Auth DOS when Processing Out of Order CNCT_specific_data Segments — firebirdCWE-119 8.2 High2026-04-17
CVE-2026-28212 Firebird has potential server crash via null pointer dereference when processing op_slice packet — firebirdCWE-476 7.5 High2026-04-17
CVE-2026-5710 Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Limited Arbitrary File Read via mfile Field — Drag and Drop Multiple File Upload for Contact Form 7CWE-22 7.5 High2026-04-17
CVE-2026-5718 Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass — Drag and Drop Multiple File Upload for Contact Form 7CWE-434 8.1 High2026-04-17
CVE-2026-6497 prasathmani TinyFileManager File Upload filemanager.php server-side request forgery — TinyFileManagerCWE-918 6.3 Medium2026-04-17

Vulnerabilities classified as access:pre-auth represent 19065 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.