Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19065

19065 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-4146 Loco Translate <= 2.8.2 - Reflected Cross-Site Scripting via 'update_href' Parameter — Loco TranslateCWE-79 6.1 Medium2026-03-31
CVE-2026-1797 Truebooker - Appointment Booking and Scheduler Plugin <= 1.1.4 - Sensitive Information Exposure via Views Files — TrueBooker – Appointment Booking and Scheduler SystemCWE-862 5.3 Medium2026-03-31
CVE-2026-1710 WooPayments <= 10.5.1 - Missing Authorization to Unauthenticated Plugin Settings Update via save_upe_appearance_ajax — WooPayments: Integrated WooCommerce PaymentsCWE-285 6.5 Medium2026-03-31
CVE-2026-3300 Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field — Everest Forms ProCWE-94 9.8 Critical2026-03-31
CVE-2026-4020 Gravity SMTP <= 2.1.4 - Unauthenticated Sensitive Information Exposure via REST API — Gravity SMTPCWE-200 7.5 High2026-03-31
CVE-2026-30878 baserCMS: Mail Form Acceptance Bypass via Public API — basercmsCWE-285 5.3 Medium2026-03-31
CVE-2026-5130 Debugger & Troubleshooter <= 1.3.2 - Unauthenticated Privilege Escalation to Administrator via Cookie Manipulation — Debugger & TroubleshooterCWE-565 8.8 High2026-03-30
CVE-2026-4257 Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality — Contact Form by SupsysticCWE-94 9.8 Critical2026-03-30
CVE-2026-31831 Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint — TautulliCWE-23 7.5 -2026-03-30
CVE-2026-31804 Tautulli: Unauthenticated pms_image_proxy endpoint proxies arbitrary HTTP requests through the Plex Media Server — TautulliCWE-918 4.0 Medium2026-03-30
CVE-2026-33032 Nginx UI: Unauthenticated MCP Endpoint Allows Remote Nginx Takeover — nginx-uiCWE-306 9.8 Critical2026-03-30
CVE-2026-3321 Authorization Bypass in ON24 Q&A chat — ON24 Q&A chatCWE-639 7.5 -2026-03-30
CVE-2026-4415 GIGABYTE|Gigabyte Control Center - Arbitrary File Write — Gigabyte Control CenterCWE-23 8.1 High2026-03-30
CVE-2026-3945 Tinyproxy 安全漏洞 — tinyproxyCWE-190 7.5 High2026-03-30
CVE-2026-2328 Backend Access Due to Insufficient Input Validation — Device SphereCWE-790 7.5 High2026-03-30
CVE-2026-3124 Download Monitor <= 5.1.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Order Completion via 'token' and 'order_id' — Download MonitorCWE-639 7.5 High2026-03-30
CVE-2026-29872 Awesome LLM Apps 安全漏洞 — n/a 7.5 -2026-03-30
CVE-2026-29909 MRCMS 安全漏洞 — n/a 5.3 -2026-03-30
CVE-2026-34472 ZTE ZXHN H188A 安全漏洞 — n/a 8.4 -2026-03-30
CVE-2026-0558 Unauthenticated File Upload in parisneo/lollms — parisneo/lollmsCWE-287 9.8 -2026-03-29
CVE-2026-32980 OpenClaw < 2026.3.13 - Resource Exhaustion via Unauthenticated Telegram Webhook Request — OpenClawCWE-770 7.5 High2026-03-29
CVE-2026-32974 OpenClaw < 2026.3.12 - Forged Event Injection via Feishu Webhook Verification Token — OpenClawCWE-347 8.6 High2026-03-29
CVE-2018-25225 SIPP 3.3 Stack-Based Buffer Overflow via Configuration File — SIPPCWE-306 8.4 High2026-03-28
CVE-2018-25224 PMS 0.42 Stack-Based Buffer Overflow via Configuration File — PMSCWE-306 8.4 High2026-03-28
CVE-2026-2442 Pagelayer <= 2.0.7 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via 'email' — Page Builder: Pagelayer – Drag and Drop website builderCWE-93 5.3 Medium2026-03-28
CVE-2025-12886 Oxygen <= 6.0.8 - Unauthenticated Server-Side Request Forgery via route_path — Oxygen - WooCommerce WordPress ThemeCWE-918 7.2 High2026-03-28
CVE-2026-4987 SureForms <= 2.5.2 - Unauthenticated Payment Amount Validation Bypass via 'form_id' — SureForms – Contact Form, Payment Form & Other Custom Form BuilderCWE-20 7.5 High2026-03-28
CVE-2026-33981 Changedetection.io Discloses Environment Variables via jq env Builtin in Include Filters — changedetection.ioCWE-200 7.5 -2026-03-27
CVE-2026-33885 Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential — cmsCWE-601 6.1 Medium2026-03-27
CVE-2026-33868 Mastodon has a GET-Based Open Redirect via '/web/%2F<domain>' — mastodonCWE-601 4.3 Medium2026-03-27

Vulnerabilities classified as access:pre-auth represent 19065 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.