Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

access:pre-auth — CVE vulnerabilities tagged 21176

21176 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2020-36907 Extreme Networks Aerohive HiveOS <=11.x 11.x Unauthenticated Remote Denial of Service — Aerohive HiveOSCWE-770 7.5 High2026-01-06
CVE-2025-9637 Quiz and Survey Master (QSM) <= 10.3.1 - Missing Authorization to Unpublished, Private And Password-Protected Quiz Information Disclosure And Image Response Uploads — Quiz and Survey Master (QSM) – Easy Quiz and Survey MakerCWE-862 6.5 Medium2026-01-06
CVE-2025-5919 Appointment Booking and Scheduling Calendar Plugin – WP Timetics <= 1.0.36 - Missing Authorization to Unauthenticated Booking Details View And Modification — Timetics – Appointment Booking & SchedulingCWE-862 6.5 Medium2026-01-06
CVE-2025-13964 LearnPress – WordPress LMS Plugin <= 4.3.2 - Missing Authentication to Unauthenticated Course Modification — LearnPress – WordPress LMS Plugin for Create and Sell Online CoursesCWE-862 5.3 Medium2026-01-06
CVE-2025-13215 Shortcodes and extra features for Phlox theme <= 2.17.13 - Unauthenticated Draft Posts Information Exposure — Shortcodes and extra features for Phlox themeCWE-200 5.3 Medium2026-01-06
CVE-2025-14996 AS Password Field In Default Registration Form <= 2.0.0 - Unauthenticated Privilege Escalation via Account Takeover — AS Password Field In Default Registration FormCWE-639 9.8 Critical2026-01-06
CVE-2025-15001 FS Registration Password <= 1.0.1 - Unauthenticated Privilege Escalation via Account Takeover — FS Registration PasswordCWE-639 9.8 Critical2026-01-06
CVE-2025-11370 Depicter <= 4.0.7 - Missing Authorization to Unauthenticated Display Rule Updates — Depicter — Popup & Slider BuilderCWE-862 5.3 Medium2026-01-06
CVE-2025-11723 Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.5 - Unauthenticated Sensitive Information Exposure — Appointment Booking Calendar — Simply Schedule Appointments Booking PluginCWE-330 6.5 Medium2026-01-06
CVE-2025-15364 Download Manager <= 3.3.40 - Unauthenticated Limited Privilege Escalation via updatePassword — Download ManagerCWE-353 7.3 High2026-01-06
CVE-2025-68456 Unauthenticated Craft CMS users can trigger a database backup — cmsCWE-770 9.1 -2026-01-05
CVE-2026-0625 D-Link DSL/DIR/DNS Authentication Bypass via DNS Configuration Endpoint — DSL-2640BCWE-306 9.8 -2026-01-05
CVE-2025-15029 An unauthenticated user is able to introduce SQL Injection using the Awie export module — Infra MonitoringCWE-89 9.8 Critical2026-01-05
CVE-2025-14124 Team < 5.0.11 - Unauthenticated SQLi — Team 9.8 -2026-01-05
CVE-2025-67419 EverShop 安全漏洞 — n/a 7.5 -2026-01-05
CVE-2025-67427 EverShop 安全漏洞 — n/a 7.5 -2026-01-05
CVE-2025-15115 Petlibro Smart Pet Feeder Platform through 1.7.31 Authentication Bypass via API endpoint — Smart Pet Feeder PlatformCWE-862 6.5 Medium2026-01-03
CVE-2025-34171 CasaOS <= 0.4.15 Unauthenticated File and Debug Data Exposure — CasaOSCWE-862--2026-01-03
CVE-2026-21446 Bagisto Missing Authentication on Installer API Endpoints — bagistoCWE-306 9.8 -2026-01-02
CVE-2026-21445 Langflow Missing Authentication on Critical API Endpoints — langflowCWE-306 9.4 -2026-01-02
CVE-2025-14072 Ninja Forms < 3.13.3 - Unauthenticated Token Generation and Submission Disclosure — Ninja Forms 5.3 -2026-01-02
CVE-2025-12685 WPBookit <= 1.0.7 - Customer Deletion via CSRF — WPBookit 4.3 -2026-01-02
CVE-2025-14047 WP User Frontend <= 4.2.4 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion — User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User RegistrationCWE-862 5.3 Medium2026-01-02
CVE-2025-14998 Branda – White Label & Branding, Free Login Page Customizer <= 3.4.24 - Unauthenticated Privilege Escalation via Account Takeover — Branda – White Label & Branding, Free Login Page CustomizerCWE-639 9.8 Critical2026-01-02
CVE-2025-68620 Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling — signalk-serverCWE-288 9.1 Critical2026-01-01
CVE-2025-68273 Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints — signalk-serverCWE-200 5.3 Medium2026-01-01
CVE-2025-68272 Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding — signalk-serverCWE-400 7.5 High2026-01-01
CVE-2025-66398 Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE) — signalk-serverCWE-78 9.7 Critical2026-01-01
CVE-2025-67711 Reflected XSS vulnerability in ArcGIS Server. — ArcGIS ServerCWE-79 6.1 Medium2025-12-31
CVE-2025-67710 Stored XSS vulnerability in ArcGIS Server — ArcGIS ServerCWE-79 6.1 Medium2025-12-31

Vulnerabilities classified as access:pre-auth represent 21176 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.