Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19065

19065 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-35484 text-generation-webui has a Path Traversal in load_preset() — .yaml file read without authentication — text-generation-webuiCWE-22 5.3 Medium2026-04-07
CVE-2026-35483 text-generation-webui has a Path Traversal in load_template() — .jinja/.yaml/.yml file read without authentication — text-generation-webuiCWE-22 5.3 Medium2026-04-07
CVE-2026-35457 libp2p-rust has unbounded rendezvous DISCOVER cookies enable remote memory exhaustion — rust-libp2pCWE-770 8.2 High2026-04-07
CVE-2026-22679 Weaver E-cology 10.0 Unauthenticated RCE via dubboApi Debug Endpoint — E-cologyCWE-306 9.8 Critical2026-04-07
CVE-2021-4473 Tianxin Internet Behavior Management System Command Injection via toQuery.php — Tianxin Internet Behavior Management SystemCWE-78 9.8 Critical2026-04-07
CVE-2026-28808 ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch) — OTPCWE-863 9.8AICriticalAI2026-04-07
CVE-2026-31842 Tinyproxy HTTP request parsing desynchronization via case-sensitive Transfer-Encoding handling — TinyproxyCWE-444 7.5 High2026-04-07
CVE-2026-4420 Stored XSS via Page Creating functionality in Bludit — BluditCWE-79 5.4AIMediumAI2026-04-07
CVE-2026-3177 Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.9.7 - Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook — Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & MoreCWE-345 5.3 Medium2026-04-07
CVE-2026-1900 Link Whisper Free < 0.9.1 - Unauthenticated Settings and User Meta Update — Link Whisper Free 5.3AIMediumAI2026-04-07
CVE-2025-15611 Popup Box AYS Pro < 5.5.0 - Admin+ Stored Cross-Site Scripting (XSS) via CSRF — Popup Box 7.1AIHighAI2026-04-07
CVE-2026-0740 Ninja Forms - File Upload <= 3.3.26 - Unauthenticated Arbitrary File Upload — Ninja Forms - File UploadsCWE-434 9.8 Critical2026-04-07
CVE-2026-31271 production_ssm 安全漏洞 — n/a 9.8AICriticalAI2026-04-07
CVE-2026-31272 MRCMS 安全漏洞 — n/a 9.8AICriticalAI2026-04-07
CVE-2025-56015 GenieACS 安全漏洞 — n/a 9.8AICriticalAI2026-04-07
CVE-2026-35449 WWBN AVideo has Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php — AVideoCWE-200 5.3 Medium2026-04-06
CVE-2026-35413 Directus GraphQL Schema SDL Disclosure Setting — directusCWE-200 5.3 Medium2026-04-06
CVE-2026-22675 OCS Inventory NG Server Stored XSS via User-Agent — OCS Inventory NG ServerCWE-79 5.4 Medium2026-04-06
CVE-2026-35185 HAX CMS's public /server-status endpoint exposes authentication tokens, user activity, and client IP addresses — HAXiamCWE-284 7.5AIHighAI2026-04-06
CVE-2026-35179 WWBN AVideo Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php — AVideoCWE-862 5.3 Medium2026-04-06
CVE-2026-35036 Ech0 Affected by Unauthenticated Server-Side Request Forgery in Website Preview Feature — Ech0CWE-918 7.5 High2026-04-06
CVE-2026-35030 LiteLLM has an authentication bypass via OIDC userinfo cache key collision — litellmCWE-287 6.5AIMediumAI2026-04-06
CVE-2026-34981 whisperX REST API: SSRF in download_from_url() — URL validation happens after HTTP request, extension bypass via .mp3 — whisperX-FastAPICWE-918 5.8 Medium2026-04-06
CVE-2026-34977 Aperi'Solve Affected by Unauthenticated RCE via JPSeek Analyzer Command — AperiSolveCWE-78 9.8AICriticalAI2026-04-06
CVE-2026-34976 Dgraph Affected by Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization — dgraphCWE-862 10.0 Critical2026-04-06
CVE-2026-34756 vLLM Affected by Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server — vllmCWE-770 6.5 Medium2026-04-06
CVE-2026-33403 Pi-hole has a Reflected XSS / HTML injection in taillog.js — webCWE-79 6.1 Medium2026-04-06
CVE-2026-26263 GLPI has an Unauthenticated SQL Injection via Search engine — glpiCWE-89 8.1 High2026-04-06
CVE-2026-26027 GLPI has an Unauthenticated Stored XSS via inventory — glpiCWE-79 7.5 High2026-04-06
CVE-2026-30613 AZIOT 1 Node Smart Switch 安全漏洞 — n/a 4.6AIMediumAI2026-04-06

Vulnerabilities classified as access:pre-auth represent 19065 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.