Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19065

19065 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-1647 Comment Genius <= 1.2.5 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] — Comment GeniusCWE-79 6.1 Medium2026-03-21
CVE-2026-2427 itsukaita <= 0.1.2 - Reflected Cross-Site Scripting via 'day_from' Parameter — itsukaitaCWE-79 6.1 Medium2026-03-21
CVE-2026-1503 login_register <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting — Plugin Name: login_registerCWE-352 4.3 Medium2026-03-21
CVE-2024-13785 Contact Form, Survey, Quiz & Popup Form Builder – ARForms <= 1.7.2 - Unauthenticated Blind Arbitrary Shortcode Execution — Contact Form, Survey, Quiz & Popup Form Builder – ARFormsCWE-94 5.6 Medium2026-03-21
CVE-2026-3331 Lobot Slider Administrator <= 0.6.0 - Cross-Site Request Forgery to Settings Update — Lobot Slider AdministratorCWE-352 4.3 Medium2026-03-21
CVE-2026-3003 Vagaro Booking Widget <= 0.3 - Unauthenticated Stored Cross-Site Scripting via 'vagaro_code' — Vagaro Booking WidgetCWE-79 7.2 High2026-03-21
CVE-2026-1392 SR WP Minify HTML <= 2.1 - Cross-Site Request Forgery to Settings Update — SR WP Minify HTMLCWE-352 4.3 Medium2026-03-21
CVE-2026-3641 Appmax <= 1.0.3 - Missing Authorization to Order Status Manipulation and Arbitrary Order Creation via Webhook Endpoint — AppmaxCWE-20 5.3 Medium2026-03-21
CVE-2026-2468 Quentn WP <= 1.2.12 - Unauthenticated SQL Injection via 'qntn_wp_access' Cookie — Quentn WPCWE-89 7.5 High2026-03-21
CVE-2026-3332 Xhanch - My Advanced Settings <= 1.1.2 - Cross-Site Request Forgery to Settings Update — Xhanch – My Advanced SettingsCWE-352 4.3 Medium2026-03-21
CVE-2026-3651 Build App Online <= 1.0.23 - Missing Authorization to Arbitrary Post Author Modification via 'build-app-online-update-vendor-product' AJAX Action — Build App OnlineCWE-862 5.3 Medium2026-03-21
CVE-2025-13910 WP-WebAuthn <= 1.3.4 - Unauthenticated Stored Cross-Site Scripting — WP-WebAuthnCWE-79 6.1 Medium2026-03-21
CVE-2026-4069 Alfie – Feed Plugin <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'naam' Parameter — Alfie – Feed PluginCWE-79 6.1 Medium2026-03-21
CVE-2026-3506 WP-Chatbot for Messenger <= 4.9 - Missing Authorization to Unauthenticated Chatbot Configuration Takeover — WP-Chatbot for MessengerCWE-862 5.3 Medium2026-03-21
CVE-2026-2277 rexCrawler <= 1.0.15 - Reflected Cross-Site Scripting via 'url' and 'regex' Parameters — rexCrawlerCWE-79 6.1 Medium2026-03-21
CVE-2026-1390 Redirect countdown <= 1.0 - Cross-Site Request Forgery to Settings Update — Redirect countdownCWE-352 4.3 Medium2026-03-21
CVE-2026-1378 WP Posts Re-order <= 1.0 - Cross-Site Request Forgery to Settings Update — WP Posts Re-orderCWE-352 4.3 Medium2026-03-21
CVE-2026-1393 Add Google Social Profiles to Knowledge Graph Box <= 1.0 - Cross-Site Request Forgery to Settings Update — Add Google Social Profiles to Knowledge Graph BoxCWE-352 4.3 Medium2026-03-21
CVE-2026-2375 App Builder – Create Native Android & iOS Apps On The Flight <= 5.5.10 - Unauthenticated Privilege Escalation via 'role' Parameter — App Builder – Create Native Android & iOS Apps On The FlightCWE-269 6.5 Medium2026-03-21
CVE-2026-1800 Fonts Manager | Custom Fonts <= 1.2 - Unauthenticated SQL Injection via fmcfIdSelectedFnt parameter — Fonts Manager | Custom FontsCWE-89 7.5 High2026-03-21
CVE-2026-2440 SurveyJS: Drag & Drop Form Builder <= 2.5.3 - Unauthenticated Stored Cross-Site Scripting — SurveyJS: Drag & Drop Form BuilderCWE-79 7.2 High2026-03-21
CVE-2026-3335 Canto <= 3.1.1 - Missing Authorization to Unauthenticated File Upload — CantoCWE-862 5.3 Medium2026-03-21
CVE-2026-3570 Smarter Analytics <= 2.0 - Missing Authorization to Unauthenticated Plugin Settings Reset via 'reset' Parameter — Smarter AnalyticsCWE-862 5.3 Medium2026-03-21
CVE-2026-4302 WowOptin: Next-Gen Popup Maker <= 1.4.29 - Unauthenticated Server-Side Request Forgery via 'link' Parameter in REST API — WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead GenerationCWE-918 7.2 High2026-03-21
CVE-2026-32896 OpenClaw < 2026.2.21 - Unauthenticated Webhook Access via Passwordless Fallback in BlueBubbles Plugin — OpenClawCWE-306 4.8 Medium2026-03-21
CVE-2026-32064 OpenClaw < 2026.2.21 - Missing VNC Authentication in Sandbox Browser noVNC Observer — OpenClawCWE-306 7.7 High2026-03-21
CVE-2026-3572 iTracker360 <= 2.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'itracker_license' Settings Field — iTracker360CWE-79 6.1 Medium2026-03-20
CVE-2026-3368 Injection Guard <= 1.2.9 - Unauthenticated Stored Cross-Site Scripting via Query Parameter Name — Injection GuardCWE-79 7.2 High2026-03-20
CVE-2026-33427 Discourse Authorization Page Displays Unvalidated Redirect Domain — discourseCWE-862 4.3 -2026-03-20
CVE-2026-33425 Discourse has inferable private group membership or existence via exclude_groups parameter — discourseCWE-203 5.3 -2026-03-20

Vulnerabilities classified as access:pre-auth represent 19065 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.