Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19065

19065 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2025-15625 Unauthenticated execution of arbitrary SQL queries in Sparx Pro Cloud Server — Sparx Pro Cloud ServerCWE-89 9.8AICriticalAI2026-04-17
CVE-2025-15623 Sparx Pro Cloud Server reveals sensitive information to an unauthenticated user — Sparx Pro Cloud ServerCWE-359 7.5AIHighAI2026-04-17
CVE-2026-6494 Aap-mcp-server: aap mcp server: log injection allows social engineering attacks via unsanitized input — Red Hat Ansible Automation Platform 2CWE-117 5.3 Medium2026-04-17
CVE-2026-6451 CMS für Motorrad Werkstätten <= 1.0.0 - Cross-Site Request Forgery — Plugin: CMS für Motorrad WerkstättenCWE-352 4.3 Medium2026-04-17
CVE-2026-23853 Dell PowerProtect Data Domain 安全漏洞 — PowerProtect Data DomainCWE-1391 8.4 High2026-04-17
CVE-2026-5797 Quiz and Survey Master (QSM) <= 11.1.0 - Unauthenticated Shortcode Injection Leading to Arbitrary Quiz Result Disclosure via Quiz Answer Text Input Fields — Quiz and Survey Master (QSM) – Easy Quiz and Survey MakerCWE-74 5.3 Medium2026-04-17
CVE-2026-5234 LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-639 5.3 Medium2026-04-17
CVE-2026-5807 Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations — VaultCWE-770 7.5 High2026-04-17
CVE-2026-5231 WP Statistics <= 14.16.4 - Unauthenticated Stored Cross-Site Scripting via 'utm_source' Parameter — WP Statistics – Simple, privacy-friendly Google Analytics alternativeCWE-79 7.2 High2026-04-17
CVE-2026-37749 CodeAstro Simple Attendance Management System 安全漏洞 — n/a 9.8AICriticalAI2026-04-17
CVE-2026-40265 Note Mark has Broken Access Control on Asset Download — note-markCWE-862 5.9 Medium2026-04-16
CVE-2026-40263 Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel — note-markCWE-208 3.7 Low2026-04-16
CVE-2026-40248 free5gc UDR improper path validation allows unauthenticated creation and modification of Traffic Influence Subscriptions — free5gcCWE-285 7.5AIHighAI2026-04-16
CVE-2026-40247 free5gc UDR improper path validation allows unauthenticated access to Traffic Influence Subscriptions — free5gcCWE-285 5.3AIMediumAI2026-04-16
CVE-2026-40246 free5gc UDR improper path validation allows unauthenticated deletion of Traffic Influence Subscriptions — free5gcCWE-285 5.3AIMediumAI2026-04-16
CVE-2026-40308 My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog — my-calendarCWE-639 7.5AIHighAI2026-04-16
CVE-2026-39313 MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport — mcp-frameworkCWE-770 7.5AIHighAI2026-04-16
CVE-2025-36579 Dell Client Platform BIOS 安全漏洞 — Dell Pro 14 Essential PV14250CWE-640 5.1 Medium2026-04-16
CVE-2026-6270 @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes — @fastify/middieCWE-436 9.1 Critical2026-04-16
CVE-2026-6410 @fastify/static vulnerable to path traversal in directory listing — @fastify/staticCWE-22 5.3 Medium2026-04-16
CVE-2026-4160 Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification — Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form BuilderCWE-639 5.3 Medium2026-04-16
CVE-2026-31843 Для национальных платежных систем в Узбекистане 安全漏洞 — pay-uzCWE-284 9.8 Critical2026-04-16
CVE-2026-3489 DirectoryPress – Business Directory And Classified Ad Listing <= 3.6.26 - Unauthenticated SQL Injection via 'packages' — DirectoryPress – Business Directory And Classified Ad ListingCWE-89 7.5 High2026-04-16
CVE-2026-0718 Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX <= 5.0.5 - Missing Authorization to Limited Post Meta Modification — Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostXCWE-862 5.3 Medium2026-04-16
CVE-2025-14868 Career Section <= 1.6 - Cross-Site Request Forgery to Arbitrary File Deletion — Career SectionCWE-22 8.8 High2026-04-16
CVE-2026-3876 Prismatic <= 3.7.3 - Unauthenticated Stored Cross-Site Scripting via 'prismatic_encoded' Pseudo-Shortcode — PrismaticCWE-79 7.2 High2026-04-16
CVE-2026-3355 Customer Reviews for WooCommerce <= 5.101.0 - Reflected Cross-Site Scripting via 'crsearch' — Customer Reviews for WooCommerceCWE-79 6.1 Medium2026-04-16
CVE-2026-3581 Basic Google Maps Placemarks <= 1.10.7 - Missing Authorization to Unauthenticated Default Map Coordinate Update — Basic Google Maps PlacemarksCWE-862 5.3 Medium2026-04-16
CVE-2026-3599 Riaxe Product Customizer <= 2.1.2 - Unauthenticated SQL Injection via 'options' Parameter Keys in product_data — Riaxe Product CustomizerCWE-89 7.5 High2026-04-16
CVE-2026-5050 Payment Gateway for Redsys & WooCommerce Lite <= 7.0.0 - Improper Verification of Cryptographic Signature to Unauthenticated Payment Status Manipulation — Payment Gateway for Redsys & WooCommerce LiteCWE-347 7.5 High2026-04-16

Vulnerabilities classified as access:pre-auth represent 19065 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.