Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19065

19065 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2018-25236 Hirschmann HiOS HiSecOS Authentication Bypass via HTTP Management — Hirschmann HiOSCWE-287 9.8 Critical2026-04-03
CVE-2026-34824 Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service — mesopCWE-125 7.5 High2026-04-03
CVE-2015-10148 Hirschmann HiLCOS Hard-coded Credentials SSH SSL Keys — Hirschmann HiLCOSCWE-321 7.5 High2026-04-03
CVE-2026-27833 Piwigo: Unauthenticated Information Disclosure via pwg.history.search API — PiwigoCWE-862 7.5 High2026-04-03
CVE-2026-27634 Piwigo: Pre-auth SQL injection via date filter parameters in ws_std_image_sql_filter — PiwigoCWE-89 7.5AIHighAI2026-04-03
CVE-2026-27481 Discourse: Hidden tag visibility bypass on tag routes — discourseCWE-200 5.3AIMediumAI2026-04-03
CVE-2026-34980 OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network — cupsCWE-20 9.8AICriticalAI2026-04-03
CVE-2017-20237 Hirschmann Industrial HiVision Authentication Bypass Remote Code Execution — Hirschmann Industrial HiVisionCWE-287 9.8 Critical2026-04-03
CVE-2026-28798 Arbitrary internal service access via /v1/sys/proxy when Cloudflare Tunnel is enabled on ZimaOS — ZimaOSCWE-918 9.1 Critical2026-04-03
CVE-2026-0545 Missing Authentication for Critical Function in mlflow/mlflow — mlflow/mlflowCWE-306 9.8AICriticalAI2026-04-03
CVE-2026-35216 Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step — budibaseCWE-78 9.1 Critical2026-04-03
CVE-2026-25043 Budibase: Unauthenticated Password Reset Endpoint Lacks Rate Limiting, Enabling Email Flooding — budibaseCWE-770 5.3 Medium2026-04-03
CVE-2026-31402 nfsd: fix heap overflow in NFSv4.0 LOCK replay cache — Linux 9.8 Critical2026-04-03
CVE-2026-35537 Roundcube Webmail 代码问题漏洞 — WebmailCWE-502 3.7 Low2026-04-03
CVE-2024-14033 Hirschmann EagleSDV Denial of Service via TLS — Hirschmann EagleSDVCWE-400 7.5 High2026-04-02
CVE-2024-14034 Hirschmann HiEOS Authentication Bypass via HTTP Management Module — Hirschmann HiEOS LRS11CWE-287 9.8 Critical2026-04-02
CVE-2026-34834 Bulwark Webmail: Authentication Bypass in verifyIdentity() due to missing cookie validation — webmailCWE-287 8.2AIHighAI2026-04-02
CVE-2026-35383 Bentley Systems iTwin Platform exposed access token — iTwin PlatformCWE-540 6.5 Medium2026-04-02
CVE-2026-34759 OneUptime: Unauthenticated notification API endpoints - financial abuse via phone number purchase, service disruption, and SMTP credential exposure — oneuptimeCWE-862 8.2AIHighAI2026-04-02
CVE-2026-34758 OneUptime: Missing Authentication on Notification Endpoints — oneuptimeCWE-306 9.1 Critical2026-04-02
CVE-2026-34745 Unauthenticated Path Traversal Arbitrary File Write in /api/uploadChunked/public — fireshareCWE-22 9.1 Critical2026-04-02
CVE-2026-5429 Kiro IDE Webview Cross-Site Scripting via Workspace Color Theme — Kiro IDECWE-79 7.8 High2026-04-02
CVE-2026-34742 Model Context Protocol Go SDK: DNS Rebinding Protection Disabled by Default for Servers Running on Localhost — go-sdkCWE-1188 7.1AIHighAI2026-04-02
CVE-2026-34736 Open edX Platform: Account Activation Bypass via activation_key Exposure in REST API — openedx-platformCWE-287 5.3 Medium2026-04-02
CVE-2026-34598 YesWiki has Persistant Blind XSS at "/?BazaR&vue=consulter" — yeswikiCWE-79 6.1AIMediumAI2026-04-02
CVE-2026-34577 Postiz: Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check — postiz-appCWE-918 8.6 High2026-04-02
CVE-2026-34121 Authentication Bypass in DS Configuration Service via HTTP Request Parsing Differential of TP-Link Tapo C520WS — Tapo C520WS v2.6CWE-287 5.3AIMediumAI2026-04-02
CVE-2026-34523 SillyTavern: Path traversal allows file existence oracle — SillyTavernCWE-22 5.3 Medium2026-04-02
CVE-2026-34827 Rack: Algorithmic-Complexity DoS in Rack::Multipart::Parser — rackCWE-407 7.5 High2026-04-02
CVE-2026-34829 Rack: Denial of Service via Unbounded Multipart File Upload Without Content-Length — rackCWE-400 7.5 High2026-04-02

Vulnerabilities classified as access:pre-auth represent 19065 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.