Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

access:pre-auth — CVE vulnerabilities tagged 21158

21158 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2025-13360 Quantic Social Image Hover <= 1.0.8 - Cross-Site Request Forgery to Settings Update — Quantic Social Image HoverCWE-352 4.3 Medium2025-12-05
CVE-2025-13625 WP-SOS-Donate Donation Sidebar Plugin <= 0.9.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] — WP-SOS-Donate Donation Sidebar PluginCWE-79 6.1 Medium2025-12-05
CVE-2025-13621 dream gallery <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'dreampluginsmain' AJAX Action — dream galleryCWE-352 6.1 Medium2025-12-05
CVE-2025-13512 CoSign Single Signon <= 0.3.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] — CoSign Single SignonCWE-79 6.1 Medium2025-12-05
CVE-2025-13144 ContentStudio <= 1.3.7 - Cross-Site Request Forgery to Settings Update — ContentStudioCWE-352 4.3 Medium2025-12-05
CVE-2025-13006 SurveyFunnel – Survey Plugin for WordPress <= 1.1.5 - Unauthenticated Information Exposure — SurveyFunnel – Survey Plugin for WordPressCWE-200 5.3 Medium2025-12-05
CVE-2025-13312 CRM Memberships <= 2.5 - Missing Authorization to Unauthenticated 'ntzcrm_add_new_tag' AJAX Action — CRM MembershipsCWE-862 5.3 Medium2025-12-05
CVE-2025-13313 CRM Memberships <= 2.6 - Missing Authorization to Privilege Escalation via Unauthenticated Password Reset in 'ntzcrm_changepassword' AJAX Endpoint — CRM MembershipsCWE-862 9.8 Critical2025-12-05
CVE-2025-13362 Norby AI <= 1.0.3 - Cross-Site Request Forgery to Settings Update — Norby AICWE-352 4.3 Medium2025-12-05
CVE-2025-13494 SSP Debug <= 1.0.0 - Unauthenticated Sensitive Information Exposure — SSP DebugCWE-200 5.3 Medium2025-12-05
CVE-2025-11759 Backup, Restore and Migrate your sites with XCloner <= 4.8.2 - Cross-Site Request Forgery in Xcloner_Remote_Storage:save() — Backup, Restore and Migrate your sites with XClonerCWE-352 4.3 Medium2025-12-05
CVE-2025-64052 Fanvil x210 安全漏洞 — n/a 7.8 -2025-12-05
CVE-2025-64056 Fanvil x210 安全漏洞 — n/a 7.1 -2025-12-05
CVE-2025-64057 Fanvil x210 安全漏洞 — n/a 7.8 -2025-12-05
CVE-2025-1545 WatchGuard Firebox XPath Injection Vulnerability in Web CGI — Fireware OSCWE-91 7.5AIHighAI2025-12-04
CVE-2025-11838 WatchGuard Firebox iked Memory Corruption Vulnerability — Fireware OSCWE-763 7.5AIHighAI2025-12-04
CVE-2025-65959 Open WebUI vulnerable to Stored DOM XSS via Note 'Download PDF' — open-webuiCWE-79 8.7 High2025-12-04
CVE-2025-66576 Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE) — Remote Keyboard DesktopCWE-78 9.8AICriticalAI2025-12-04
CVE-2025-66573 Solstice Pod API Session Key Extraction via API Endpoint — Solstice Pod APICWE-319 7.5AIHighAI2025-12-04
CVE-2025-66572 Loaded Commerce 6.6 Client-Side Template Injection (CSTI) — Loaded CommerceCWE-78 9.8AICriticalAI2025-12-04
CVE-2025-66571 UNA CMS 9.0.0-RC1 - 14.0.0-RC4 PHP Object Injection — UNA CMSCWE-502 9.8AICriticalAI2025-12-04
CVE-2025-66555 AirKeyboard iOS App 1.0.5 - Remote Input Injection — AirKeyboard iOS AppCWE-306 9.8AICriticalAI2025-12-04
CVE-2024-58277 R Radio Network FM Transmitter 1.07 System Settings Disclosure — Radio Network FM TransmitterCWE-312 9.8AICriticalAI2025-12-04
CVE-2024-58276 Obi08-Enrollment System 1.0 login.php SQL Injection — Obi08/Enrollment SystemCWE-89 9.1AICriticalAI2025-12-04
CVE-2023-53735 WEBIGniter 28.7.23 Cross-Site Scripting (XSS) in User Creation Process — WEBIGniterCWE-79 6.1AIMediumAI2025-12-04
CVE-2023-53734 dawa-pharma-1.0 - SQL Injection via Email Parameter — dawa-pharmaCWE-89 9.8AICriticalAI2025-12-04
CVE-2025-12995 Medtronic CareLink Network 安全漏洞 — CareLink NetworkCWE-307 8.1 High2025-12-04
CVE-2025-12994 Medtronic CareLink Network 安全漏洞 — CareLink NetworkCWE-204 5.3 Medium2025-12-04
CVE-2025-14012 JIZHICMS Batch Delete Comments deleteAll.html delete sql injection — JIZHICMSCWE-89 4.7 Medium2025-12-04
CVE-2025-13513 Clik stats <= 0.8 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] — Clik statsCWE-79 6.1 Medium2025-12-04

Vulnerabilities classified as access:pre-auth represent 21158 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.