Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

access:pre-auth — CVE vulnerabilities tagged 21244

21244 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2025-34100 BuilderEngine 3.5.0 RCE via Unauthenticated Arbitrary File Upload — CMSCWE-434 9.8AICriticalAI2025-07-10
CVE-2025-34102 CryptoLog Unauthenticated RCE via SQL Injection and Command Injection — CryptoLogCWE-89 9.8AICriticalAI2025-07-10
CVE-2025-34096 Easy File Sharing HTTP Server 7.2 Buffer Overflow via POST to /sendemail.ghp — Easy File Sharing HTTP ServerCWE-119 9.8AICriticalAI2025-07-10
CVE-2025-34095 Mako Server v2.5 and v2.6 OS Command Injection via examples/save.lsp — Mako ServerCWE-78 9.8AICriticalAI2025-07-10
CVE-2025-34093 Polycom HDX Series Telnet Command Injection via lan traceroute — HDX SeriesCWE-78 8.8AIHighAI2025-07-10
CVE-2025-34101 Serviio Media Server Unauthenticated Command Injection via checkStreamUrl VIDEO Parameter — Media ServerCWE-78 9.8AICriticalAI2025-07-10
CVE-2025-34099 VICIdial vicidial_sales_viewer.php Unauthenticated Command Injection via Basic Auth Password — VICIdialCWE-78 9.8AICriticalAI2025-07-10
CVE-2025-53378 Trend Micro Worry-Free Business Security Services 访问控制错误漏洞 — Trend Micro Worry-Free Business Security ServicesCWE-306 7.6 High2025-07-10
CVE-2025-53709 Access control issues impacting secure-upload service — com.palantir.secupload:secure-uploadCWE-285 5.4 Medium2025-07-10
CVE-2025-49463 Zoom Clients for iOS - Insufficient Control Flow Management — Zoom Clients for iOSCWE-691 6.5 Medium2025-07-10
CVE-2025-5807 Gwolle Guestbook <= 4.9.2 - Unauthenticated Stored Cross-Site Scripting via `gwolle_gb_content` Parameter — Gwolle GuestbookCWE-79 6.1 Medium2025-07-10
CVE-2025-6970 Events Manager <= 7.0.3 - Unauthenticated SQL Injection via `orderby` Parameter — Events Manager – Calendar, Bookings, Tickets, and more!CWE-89 7.5 High2025-07-09
CVE-2025-6975 Event Manager <= 7.0.3 - Reflected Cross-Site Scripting via `calendar_header` Parameter — Events Manager – Calendar, Bookings, Tickets, and more!CWE-79 6.1 Medium2025-07-09
CVE-2025-3499 Unauthenticated execution of arbitrary commands in Radiflow iSAP Smart Collector — iSAP Smart CollectorCWE-78 10.0 Critical2025-07-09
CVE-2025-3498 Unauthenticated modification of Radiflow iSAP Smart Collector configuration — iSAP Smart CollectorCWE-306 9.9 Critical2025-07-09
CVE-2025-6691 SureForms – Drag and Drop Form Builder for WordPress <= 1.7.3 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Submission Deletion — SureForms – Drag and Drop Form Builder for WordPressCWE-73 8.1 High2025-07-09
CVE-2025-6742 SureForms – Drag and Drop Form Builder for WordPress <= 1.7.3 - Unauthenticated PHP Object Injection (PHAR) Triggered via Admin Submission Deletion — SureForms – Drag and Drop Form Builder for WordPressCWE-502 7.5 High2025-07-09
CVE-2025-4606 Sala - Startup & SaaS WordPress Theme <= 1.1.4 - Unauthenticated Privilege Escalation via Password Reset/Account Takeover — Sala - Startup & SaaS WordPress ThemeCWE-620 9.8 Critical2025-07-09
CVE-2025-34077 WordPress Pie Register Plugin ≤ 3.7.1.4 Authentication Bypass RCE — WordPress Pie Register PluginCWE-434 9.8AICriticalAI2025-07-09
CVE-2025-44177 White Star Software Protop 安全漏洞 — n/a 7.5AIHighAI2025-07-09
CVE-2025-52364 Tenda CP3 Pro 安全漏洞 — n/a 9.1AICriticalAI2025-07-09
CVE-2025-53645 Zimbra Collaboration Suite 安全漏洞 — n/a 7.5AIHighAI2025-07-09
CVE-2025-4855 Support Board <= 3.8.0 - Unauthenticated Authorization Bypass due to Use of Default Secret Key — Support BoardCWE-639 9.8 Critical2025-07-08
CVE-2025-3780 WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.16 - Missing Authorization to Unauthenticated Plugin Settings Modification — WCFM – Frontend Manager for WooCommerceCWE-862 6.5 Medium2025-07-08
CVE-2025-4828 Support Board <= 3.8.0 - Unauthenticated Arbitrary File Deletion — Support BoardCWE-22 9.8 Critical2025-07-08
CVE-2025-49542 ColdFusion | Cross-site Scripting (Reflected XSS) (CWE-79) — ColdFusionCWE-79 5.2 Medium2025-07-08
CVE-2025-3648 Data Inference in Now Platform via Conditional ACLs — Now PlatformCWE-1220 5.3AIMediumAI2025-07-08
CVE-2024-55599 Fortinet FortiOS和Fortinet FortiProxy 安全特征问题漏洞 — FortiOSCWE-358 4.9 Medium2025-07-08
CVE-2025-40736 Siemens SINEC NMS 访问控制错误漏洞 — SINEC NMSCWE-306 9.8 Critical2025-07-08
CVE-2025-40735 Siemens SINEC NMS SQL注入漏洞 — SINEC NMSCWE-89 8.8 High2025-07-08

Vulnerabilities classified as access:pre-auth represent 21244 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.