Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19070

19070 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-3658 Appointment Booking Calendar <= 1.6.10.0 - Unauthenticated SQL Injection via 'fields' Parameter — Appointment Booking Calendar — Simply Schedule Appointments Booking PluginCWE-89 7.5 High2026-03-19
CVE-2026-3475 Instant Popup Builder <= 1.1.7 - Unauthenticated Arbitrary Shortcode Execution via 'token' Parameter — Instant Popup Builder – Powerful Popup Maker for Opt-ins, Email Newsletters & Lead GenerationCWE-862 5.3 Medium2026-03-19
CVE-2026-4068 Add Custom Fields to Media <= 2.0.3 - Cross-Site Request Forgery to Custom Field Deletion via 'delete' Parameter — Add Custom Fields to MediaCWE-352 4.3 Medium2026-03-19
CVE-2026-1238 SlimStat Analytics <= 5.3.5 - Unauthenticated Stored Cross-Site Scripting via 'fh' — SlimStat AnalyticsCWE-79 7.2 High2026-03-19
CVE-2026-28461 OpenClaw < 2026.3.1 - Unbounded Memory Growth in Zalo Webhook via Query String Key Churn — OpenClawCWE-770 7.5 High2026-03-19
CVE-2026-25667 Microsoft .NET 安全漏洞 — n/a 7.5 -2026-03-19
CVE-2026-32255 Kan is Vulnerable to Unauthenticated SSRF via Attachment Download Endpoint — kanCWE-918 8.6 High2026-03-18
CVE-2026-32944 Parse Server crash via deeply nested query condition operators — parse-serverCWE-674 7.5 -2026-03-18
CVE-2026-25873 OmniGen2-RL Reward Server Unsafe Deserialization RCE — OmniGen2-RLCWE-502 9.8 Critical2026-03-18
CVE-2026-32633 Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist` — glancesCWE-200 9.1 Critical2026-03-18
CVE-2026-2991 KiviCare – Clinic & Patient Management System (EHR) <= 4.1.2 - Unauthenticated Authentication Bypass via Social Login Token — KiviCare – Clinic & Patient Management System (EHR)CWE-287 7.3 High2026-03-18
CVE-2026-2992 KiviCare <= 4.1.2 - Missing Authorization to Unauthenticated Privilege Escalation via Setup Wizard — KiviCare – Clinic & Patient Management System (EHR)CWE-862 8.2 High2026-03-18
CVE-2026-3090 Post SMTP <= 3.8.0 - Unauthenticated Stored Cross-Site Scripting via 'event_type' — Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile AppCWE-79 7.2 High2026-03-18
CVE-2026-32609 Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials — glancesCWE-200 7.5 High2026-03-18
CVE-2026-22323 Cross‑Site Request Forgery in Link Aggregation Configuration — FL SWITCH 2005CWE-352 7.1 High2026-03-18
CVE-2026-22322 Stored Cross‑Site Scripting in Link Aggregation Name Handling — FL SWITCH 2005CWE-79 7.1 High2026-03-18
CVE-2026-22321 Stack-Based Buffer Overflow in CLI Login Username Handling over CLI — FL SWITCH 2005CWE-121 5.3 Medium2026-03-18
CVE-2026-32596 Glances exposes the REST API without authentication — glancesCWE-200 9.1 -2026-03-18
CVE-2026-32268 Azure Blob Storage for Craft CMS Potential Sensitive Information Disclosure vulnerability — azure-blobCWE-862 4.3 -2026-03-18
CVE-2026-32266 Google Cloud Storage for Craft CMS has an Information Disclosure Vulnerability — google-cloudCWE-200 5.3 -2026-03-18
CVE-2026-1926 Subscriptions for WooCommerce <= 1.9.2 - Missing Authorization to Unauthenticated Arbitrary Subscription Cancellation — Subscriptions for WooCommerceCWE-862 5.3 Medium2026-03-18
CVE-2026-1780 [CR]Paid Link Manager <= 0.5 - Reflected Cross-Site Scripting — [CR]Paid Link ManagerCWE-79 6.1 Medium2026-03-18
CVE-2026-32265 Amazon S3 for Craft CMS has an Information Disclosure vulnerability — aws-s3CWE-200 4.3 -2026-03-18
CVE-2026-2575 Keycloak: keycloak: denial of service due to excessive samlrequest decompression — Red Hat build of Keycloak 26.4CWE-409 5.3 Medium2026-03-18
CVE-2026-4356 itsourcecode University Management System add_result.php cross site scripting — University Management SystemCWE-79 2.4 Low2026-03-18
CVE-2025-55043 Mura 安全漏洞 — n/a 6.5 -2026-03-18
CVE-2026-21994 Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit 安全漏洞 — Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit 9.8 Critical2026-03-17
CVE-2026-1264 IBM Sterling B2B Integrator and IBM Sterling File Gateway Improper Access Controls — Sterling B2B IntegratorCWE-306 7.1 High2026-03-17
CVE-2025-14031 IBM Sterling B2B Integrator and IBM Sterling File Gateway Denial of Service — Sterling B2B IntegratorCWE-77 7.5 High2026-03-17
CVE-2026-32841 Edimax GS-5008PL <= 1.00.54 Global Authentication State Across All Clients — Edimax GS-5008PLCWE-1108 8.1 High2026-03-17

Vulnerabilities classified as access:pre-auth represent 19070 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.