Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19065

19065 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-33479 AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin — AVideoCWE-94 8.8 High2026-03-23
CVE-2026-33478 AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection — AVideoCWE-78 10.0 Critical2026-03-23
CVE-2026-33352 AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass) — AVideoCWE-89 9.8 Critical2026-03-23
CVE-2026-31846 Unauthenticated Credential Disclosure via /goform/ate in Nexxt Nebula 300+ — Nebula 300+ / Tenda F3 V2.0 FirmwareCWE-306 6.5 Medium2026-03-23
CVE-2026-32969 Pre-Auth Blind SQLi in userinfo Endpoint — MB connect line mbCONNECT24CWE-89 7.5 High2026-03-23
CVE-2026-32968 Unauthenticated RCE in com_mb24sysapi — MB connect line mbCONNECT24CWE-78 9.8 Critical2026-03-23
CVE-2026-4585 Tiandy Easy7 Integrated Management Platform Configuration ImportSystemConfiguration.jsp os command injection — Easy7 Integrated Management PlatformCWE-78 9.8 Critical2026-03-23
CVE-2026-3587 Hidden CLI Function Allows Root Access — Lean Managed Switch 852-1812CWE-912 10.0 Critical2026-03-23
CVE-2025-13997 King Addons for Elementor <= 51.1.49 - Unauthenticated API Keys Disclosure — King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup BuilderCWE-200 5.3 Medium2026-03-23
CVE-2026-1969 ThemeREX Addons < 2.38.5 - Unauthenticated Arbitrary File Upload — trx_addons 9.1 -2026-03-23
CVE-2025-10734 ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More <= 2.2.12 - Unauthenticated Sensitive Information Exposure — ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & SchemaCWE-922 5.3 Medium2026-03-23
CVE-2025-10679 ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More <= 2.2.12 - Unauthenticated Limited Remote Code Execution — ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & SchemaCWE-94 7.3 High2026-03-23
CVE-2025-10731 ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More <= 2.2.12 - Unauthenticated Sensitive Information Exposure to Data Export — ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & SchemaCWE-285 5.3 Medium2026-03-23
CVE-2025-10736 ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More <= 2.2.10 - Incorrect Authorization to Unauthenticated Information Exposure and Data Manipulation — ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & SchemaCWE-285 6.5 Medium2026-03-23
CVE-2026-2580 WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.9.1 - Unauthenticated SQL Injection via 'orderby' Parameter — WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & FiltersCWE-89 7.5 High2026-03-22
CVE-2026-33292 AVideo has Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos — AVideoCWE-22 7.5 High2026-03-22
CVE-2026-4544 Wavlink WL-WN578W2 POST Request login.cgi cross site scripting — WL-WN578W2CWE-79 2.4 Low2026-03-22
CVE-2026-4543 Wavlink WL-WN578W2 POST Request firewall.cgi command injection — WL-WN578W2CWE-77 6.3 Medium2026-03-22
CVE-2026-3629 Import and export users and customers <= 1.29.7 - Privilege Escalation to Administrator via save_extra_user_profile_fields — Import and export users and customersCWE-269 8.1 High2026-03-21
CVE-2019-25581 i-doit CMDB 1.12 SQL Injection via objGroupID Parameter — doit CMDBCWE-89 8.2 High2026-03-21
CVE-2019-25580 ownDMS 4.7 SQL Injection via pdfstream.php imagestream.php — ownDMSCWE-434 8.2 High2026-03-21
CVE-2019-25579 phpTransformer 2016.9 Directory Traversal via jQueryFileUpload — phpTransformerCWE-22 7.5 High2026-03-21
CVE-2019-25576 Kepler Wallpaper Script 1.1 SQL Injection via category — Kepler Wallpaper ScriptCWE-89 8.2 High2026-03-21
CVE-2019-25575 SimplePress CMS 1.0.7 SQL Injection via p and s Parameters — SimplePress CMSCWE-89 8.2 High2026-03-21
CVE-2019-25570 RealTerm Serial Terminal 2.0.0.70 Denial of Service via Port Field — RealTerm: Serial TerminalCWE-1260 5.5 Medium2026-03-21
CVE-2026-4373 JetFormBuilder <= 3.5.6.2 - Unauthenticated Arbitrary File Read via Media Field — JetFormBuilder — Dynamic Blocks Form BuilderCWE-36 7.5 High2026-03-21
CVE-2026-3478 Content Syndication Toolkit <= 1.3 - Unauthenticated Server-Side Request Forgery via 'url' Parameter — Content Syndication ToolkitCWE-918 7.2 High2026-03-21
CVE-2026-2723 Post Snippits <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update — Post SnippitsCWE-352 6.1 Medium2026-03-21
CVE-2026-4143 Neos Connector for Fakturama <= 0.0.14 - Cross-Site Request Forgery to Settings Update — Neos Connector for FakturamaCWE-352 4.3 Medium2026-03-21
CVE-2026-1648 Performance Monitor <= 1.0.6 - Unauthenticated Server-Side Request Forgery via 'url' Parameter — Performance MonitorCWE-918 7.2 High2026-03-21

Vulnerabilities classified as access:pre-auth represent 19065 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.