Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19065

19065 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-33654 Zero-Click Indirect Prompt Injection and Authentication Bypass via Email Polling — nanobotCWE-94 10.0 -2026-03-27
CVE-2026-34205 Home Assistant: Unauthenticated App (Add-on) Endpoints Exposed to Local Network via Host Network Mode — Home Assistant Operating SystemCWE-923 9.7 Critical2026-03-27
CVE-2026-26061 Fleet's unbounded request body read allows remote Denial of Service — fleetCWE-770 7.5 -2026-03-27
CVE-2026-34369 AVIdeo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification — AVideoCWE-862 5.3 Medium2026-03-27
CVE-2026-34411 Appsmith < 1.98 Unauthenticated Instance Configuration Disclosure via Management APIs — AppsmithCWE-306 5.3 Medium2026-03-27
CVE-2026-5022 Langflow - Missing Authorization on download_image Endpoint — langflowCWE-862 5.3 -2026-03-27
CVE-2026-33763 AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle — AVideoCWE-307 5.3 Medium2026-03-27
CVE-2026-33761 AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings — AVideoCWE-862 5.3 Medium2026-03-27
CVE-2026-25100 Stored XSS via SVG File Upload in Bludit — BluditCWE-79 5.4 -2026-03-27
CVE-2026-33366 BUFFALO Wi-Fi router 访问控制错误漏洞 — BUFFALO Wi-Fi router productsCWE-306 4.6 -2026-03-27
CVE-2026-32678 BUFFALO Wi-Fi router 安全漏洞 — BUFFALO Wi-Fi router productsCWE-288 8.8 -2026-03-27
CVE-2026-33935 MyTube has Unauthenticated Account Lockout via Shared Login Attempt State — MyTubeCWE-307--2026-03-27
CVE-2026-33890 MyTube has an Unauthenticated Admin Privilege Escalation via Passkey Registration — MyTubeCWE-284 9.8 -2026-03-27
CVE-2026-33721 MapServer has heap buffer overflow in SLD `Categorize` Threshold parsing — MapServerCWE-787 5.3 Medium2026-03-27
CVE-2026-33693 Lemmy's Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid() — lemmyCWE-918 6.5 Medium2026-03-27
CVE-2025-69988 BS Producten Petcam 安全漏洞 — n/a 6.5 Medium2026-03-27
CVE-2026-29871 Awesome LLM Apps 安全漏洞 — n/a 7.5 -2026-03-27
CVE-2026-30637 OTCMS 安全漏洞 — n/a 6.5 -2026-03-27
CVE-2026-4904 Tenda AC5 POST Request setcfm formSetCfm stack-based overflow — AC5CWE-121 8.8 High2026-03-26
CVE-2026-33682 Streamlit on Windows has Unauthenticated SSRF Vulnerability (NTLM Credential Exposure) — streamlitCWE-918 4.7 Medium2026-03-26
CVE-2026-33638 Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint — Ech0CWE-862 5.3 Medium2026-03-26
CVE-2026-33623 PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution — pinchtabCWE-78 6.7 Medium2026-03-26
CVE-2026-33619 PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl — pinchtabCWE-918 4.1 Medium2026-03-26
CVE-2026-33738 Lychee Vulnerable to Stored XSS via Photo Description in RSS/Atom/JSON Feed (No Sanitization on Public Endpoint) — LycheeCWE-79 6.1 -2026-03-26
CVE-2026-26213 thingino-firmware api.cgi Unauthenticated Command Injection in Captive Portal — thingino-firmwareCWE-78 9.8 -2026-03-26
CVE-2026-33506 DOM-Based XSS in Ory Polis Login Page — polisCWE-87 8.8 High2026-03-26
CVE-2026-27664 Siemens多款产品 缓冲区错误漏洞 — CPCI85 Central Processing/CommunicationCWE-787 7.5 High2026-03-26
CVE-2026-33413 etcd: Authorization bypasses in multiple APIs — etcdCWE-862 8.6 -2026-03-26
CVE-2026-1032 Conditional Menus <= 1.2.6 - Cross-Site Request Forgery to Menu Options Update — Conditional MenusCWE-352 4.3 Medium2026-03-26
CVE-2026-2231 Fluent Booking <= 2.0.01 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters — Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar SolutionCWE-79 7.2 High2026-03-26

Vulnerabilities classified as access:pre-auth represent 19065 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.