Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19065

19065 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-40149 PraisonAI has an Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls — PraisonAICWE-396 7.9 High2026-04-09
CVE-2026-40116 PraisonAI's Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits — PraisonAICWE-770 7.5 High2026-04-09
CVE-2026-40114 PraisonAI has Server-Side Request Forgery via Unvalidated webhook_url in Jobs API — PraisonAICWE-918 7.2 High2026-04-09
CVE-2023-54364 Joomla HikaShop 4.7.4 Reflected XSS via Product Filter — Joomla HikaShopCWE-79 6.1 Medium2026-04-09
CVE-2023-54363 Joomla Solidres 2.13.3 Reflected XSS via Multiple Parameters — Joomla SolidresCWE-79 6.1 Medium2026-04-09
CVE-2023-54359 WordPress adivaha Travel Plugin 2.3 SQL Injection via pid — WordPress adivaha Travel PluginCWE-89 8.2 High2026-04-09
CVE-2023-54358 WordPress adivaha Travel Plugin 2.3 Reflected XSS via isMobile — WordPress adivaha Travel PluginCWE-79 6.1 Medium2026-04-09
CVE-2026-39912 v2board / Xboard Authentication Token Exposure via loginWithMailLink — v2boardCWE-201 9.1 Critical2026-04-09
CVE-2026-1584 Gnutls: gnutls: remote denial of service via crafted clienthello with invalid psk binder — Red Hat Hardened ImagesCWE-476 7.5 High2026-04-09
CVE-2026-39987 marimo Affected by Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass — marimoCWE-306 9.8AICriticalAI2026-04-09
CVE-2026-34578 OPNsense has an LDAP Injection via Unsanitized Username in Authentication — coreCWE-90 8.2 High2026-04-09
CVE-2026-2519 Online Scheduling and Appointment Booking System – Bookly <= 27.0 - Unauthenticated Price Manipulation via 'tips' — Online Scheduling and Appointment Booking System – BooklyCWE-472 5.3 Medium2026-04-09
CVE-2026-1830 Quick Playground <= 1.3.1 - Missing Authorization to Unauthenticated Arbitrary File Upload — Quick PlaygroundCWE-862 9.8 Critical2026-04-09
CVE-2025-12664 Improper Validation of Specified Quantity in Input in GitLab — GitLabCWE-1284 7.5 High2026-04-08
CVE-2026-1092 Improper Validation of Specified Quantity in Input in GitLab — GitLabCWE-1284 7.5 High2026-04-08
CVE-2026-3438 Nexus Repository 3 - Reflected Cross-Site Scripting (XSS) in ?describe Pages — Nexus RepositoryCWE-79 6.1AIMediumAI2026-04-08
CVE-2026-39889 PraisonAI has Unauthenticated SSE Event Stream Exposes All Agent Activity in A2U Server — PraisonAICWE-200 7.5 High2026-04-08
CVE-2026-5436 MW WP Form <= 5.1.1 - Unauthenticated Arbitrary File Move via regenerate_upload_file_keys — MW WP FormCWE-22 8.1 High2026-04-08
CVE-2026-34723 Zammad has incorrect access control in getting_started_controller — zammadCWE-284 7.5AIHighAI2026-04-08
CVE-2026-0811 Advanced CF7 DB <= 2.0.9 - Cross-Site Request Forgery to Form Entry Deletion — Advanced Contact form 7 DBCWE-352 5.4 Medium2026-04-08
CVE-2026-2942 ProSolution WP Client <= 1.9.9 - Unauthenticated Arbitrary File Upload via proSol_fileUploadProcess — ProSolution WP ClientCWE-434 9.8 Critical2026-04-08
CVE-2026-33756 Saleor Affected by Denial of Service via Unbounded GraphQL Query Batching — saleorCWE-770 7.5 High2026-04-08
CVE-2025-14243 Mirror-registry: openshift mirror registry: user enumeration via authentication error messages — mirror registry for Red Hat OpenShiftCWE-209 5.3 Medium2026-04-08
CVE-2026-39393 Post-Installation Re-entry via Cache-Dependent Install Guard Bypass in ci4ms — ci4msCWE-306 8.1 High2026-04-08
CVE-2026-39390 CI4MS has Stored XSS via srcdoc attribute bypass in Google Maps iframe setting — ci4msCWE-79 5.5 Medium2026-04-08
CVE-2026-5302 Permissive Cross-domain Policy with Untrusted Domains in coolercontrold — coolercontroldCWE-942 6.3 Medium2026-04-08
CVE-2026-5300 Missing Authentication for Critical Function in coolercontrold — coolercontroldCWE-306 5.9 Medium2026-04-08
CVE-2026-5301 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in coolercontrol-ui — coolercontrol-uiCWE-79 7.6 High2026-04-08
CVE-2026-1672 BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery to Product Data Modification — BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.NetCWE-352 6.5 Medium2026-04-08
CVE-2026-3396 WCAPF – WooCommerce Ajax Product Filter <= 4.2.3 - Unauthenticated Time-Based SQL Injection — WCAPF – Ajax Product Filter for WooCommerceCWE-89 7.5 High2026-04-08

Vulnerabilities classified as access:pre-auth represent 19065 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.