Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19065

19065 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-1673 BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery to Taxonomy Term Deletion — BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.NetCWE-352 4.3 Medium2026-04-08
CVE-2026-4141 Quran Translations <= 1.7 - Cross-Site Request Forgery to Playlist Settings Form — Quran TranslationsCWE-352 4.3 Medium2026-04-08
CVE-2026-5167 Masteriyo LMS <= 2.1.7 - Unauthenticated Authorization Bypass to Arbitrary Order Completion via Stripe Webhook Endpoint — Masteriyo LMS – Online Course Builder for eLearning, LMS & EducationCWE-639 5.3 Medium2026-04-08
CVE-2026-3535 DSGVO Google Web Fonts GDPR <= 1.1 - Unauthenticated Arbitrary File Upload via 'fonturl' Parameter — DSGVO Google Web Fonts GDPRCWE-434 9.8 Critical2026-04-08
CVE-2026-3594 Riaxe Product Customizer <= 2.4 - Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint — Riaxe Product CustomizerCWE-200 5.3 Medium2026-04-08
CVE-2026-4338 ActivityPub Routing < 8.0.2 - Unauthenticated Drafts/Scheduled/Pending Posts Disclosure — ActivityPub 5.3AIMediumAI2026-04-08
CVE-2026-3646 LTL Freight Quotes – R+L Carriers Edition <= 3.3.13 - Missing Authorization to Unauthenticated Settings Update — LTL Freight Quotes – R+L Carriers EditionCWE-862 5.3 Medium2026-04-08
CVE-2026-4003 Users manager – PN <= 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via 'userspn_form_save' AJAX Action — Users manager – PNCWE-862 9.8 Critical2026-04-08
CVE-2026-3499 Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce 13.4.6 - 13.5.2.1 - Cross-Site Request Forgery to Multiple Administrative Actions — Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerceCWE-352 8.8 High2026-04-08
CVE-2026-3296 Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata — Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form BuilderCWE-502 9.8 Critical2026-04-08
CVE-2026-4394 Gravity Forms <= 2.9.30 - Unauthenticated Stored Cross-Site Scripting via Credit Card 'Card Type' Sub-Field — Gravity FormsCWE-79 6.1 Medium2026-04-07
CVE-2026-4406 Gravity Forms <= 2.9.30 - Reflected Cross-Site Scripting via 'form_ids' Parameter — Gravity FormsCWE-79 4.7 Medium2026-04-07
CVE-2026-4401 Download Monitor <= 5.1.10 - Cross-Site Request Forgery to Download Path Deletion and Disabling — Download MonitorCWE-352 5.4 Medium2026-04-07
CVE-2026-2263 Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.10.2 - Missing Authorization to Unauthenticated Conversion Tracking Data Manipulation — Hustle – Email Marketing, Lead Generation, Optins, PopupsCWE-862 5.3 Medium2026-04-07
CVE-2026-34045 Podman Desktop WebView Server Exposed — podman-desktopCWE-209 8.2 High2026-04-07
CVE-2026-33439 Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM — OpenAMCWE-502 9.8AICriticalAI2026-04-07
CVE-2026-39373 JWCrypto: JWE ZIP decompression bomb — jwcryptoCWE-409 5.3 Medium2026-04-07
CVE-2026-39367 WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page — AVideoCWE-79 5.4 Medium2026-04-07
CVE-2026-39324 Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization — rack-sessionCWE-287 7.4AIHighAI2026-04-07
CVE-2026-39321 Parse Server has a login timing side-channel reveals user existence — parse-serverCWE-208 4.8AIMediumAI2026-04-07
CVE-2026-39337 ChurchCRM Affected by Unauthenticated RCE in Install Wizard — CRMCWE-94 10.0 Critical2026-04-07
CVE-2026-39339 ChurchCRM has an API Authentication Bypass — CRMCWE-284 9.1 Critical2026-04-07
CVE-2026-22680 OpenViking < 0.3.3 Missing Authorization via Task Polling — OpenVikingCWE-862 5.3 Medium2026-04-07
CVE-2026-39312 Pre-Auth EAP-TLS DoS on SoftEther VPN Developer Edition — SoftEtherVPNCWE-789 7.5 High2026-04-07
CVE-2025-14944 Backup Migration <= 2.0.0 - Missing Authorization to Unauthenticated Backup Upload to Offline Storage — BackupBliss – Backup & Migration with Free Cloud StorageCWE-862 5.3 Medium2026-04-07
CVE-2026-35604 File Browser share links remain accessible after Share/Download permissions are revoked — filebrowserCWE-863 4.3AIMediumAI2026-04-07
CVE-2026-35584 FreeScout has an Unauthenticated IDOR in Open Tracking Endpoint Allows Cross-Conversation Thread Manipulation and Enumeration — freescoutCWE-306 8.2AIHighAI2026-04-07
CVE-2026-35526 Strawberry GraphQL affected by a Denial of Service via unbounded WebSocket subscriptions — strawberryCWE-770 7.5 High2026-04-07
CVE-2026-35487 text-generation-webui has a Path Traversal in load_prompt() — .txt file read without authentication — text-generation-webuiCWE-22 5.3 Medium2026-04-07
CVE-2026-35485 text-generation-webui has a Path Traversal in load_grammar() — arbitrary file read without authentication — text-generation-webuiCWE-22 7.5 High2026-04-07

Vulnerabilities classified as access:pre-auth represent 19065 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.