Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19070

19070 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2016-20030 ZKTeco ZKBioSecurity 3.0 User Enumeration via authLoginAction — ZKTeco ZKBioSecurityCWE-551 9.8 Critical2026-03-15
CVE-2016-20026 ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote Code Execution — ZKTeco ZKBioSecurityCWE-798 9.8 Critical2026-03-15
CVE-2026-4180 D-Link DIR-816 goahead redirect.asp access control — DIR-816CWE-284 7.3 High2026-03-15
CVE-2026-4172 TRENDnet TEW-632BRP HTTP POST Request ping_response.cgi stack-based overflow — TEW-632BRPCWE-121 7.2 High2026-03-15
CVE-2026-2233 User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.2.8 - Missing Authorization to Unauthenticated Arbitrary Post Modification via 'post_id' Parameter — User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User RegistrationCWE-862 5.3 Medium2026-03-15
CVE-2026-1947 NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id — NEX-Forms – Ultimate Forms Plugin for WordPressCWE-639 7.5 High2026-03-15
CVE-2026-1870 Thim Kit for Elementor <= 1.3.7 - Missing Authorization to Unauthenticated Private Course Disclosure — Thim Kit for Elementor – Pre-built Templates & Widgets for ElementorCWE-862 5.3 Medium2026-03-14
CVE-2026-32713 PX4 Autopilot MAVLink FTP Session Validation Logic Error Allows Operations on Invalid File Descriptors — PX4-AutopilotCWE-670 4.3 Medium2026-03-13
CVE-2026-32709 PX4 Autopilot MAVLink FTP Unauthenticated Path Traversal (Arbitrary File Read/Write/Delete) — PX4-AutopilotCWE-22 5.4 Medium2026-03-13
CVE-2026-32702 Cleanuparr has Username Enumeration via Timing Attack — CleanuparrCWE-208 3.7AILowAI2026-03-13
CVE-2026-3560 Philips Hue Bridge HomeKit hk_hap_pair_storage_put Heap-based Buffer Overflow Remote Code Execution Vulnerability — Hue BridgeCWE-122 8.8AIHighAI2026-03-13
CVE-2026-32617 AnythingLLM Permissable CORS policy — anything-llmCWE-942 7.1 High2026-03-13
CVE-2026-32314 Yamux remote Panic via malformed Data frame with SYN set and len = 262145 — rust-yamuxCWE-248 7.5AIHighAI2026-03-13
CVE-2026-31882 Dagu SSE Authentication Bypass in Basic Auth Mode — daguCWE-306 7.5 High2026-03-13
CVE-2026-1668 Input Validation Vulnerability on Multiple Omada Switches — SG2008P 3.2xCWE-20 9.8 -2026-03-13
CVE-2026-2859 Unauthenticated Host Enumeration via Observable Response Discrepancy on Deploy Agent Endpoint — CheckmkCWE-204 5.3 -2026-03-13
CVE-2026-23943 Pre-auth SSH DoS via unbounded zlib inflate — OTPCWE-409 7.5 -2026-03-13
CVE-2026-2888 Formidable Forms <= 6.28 - Unauthenticated Payment Amount Manipulation via 'item_meta' Parameter — Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form BuilderCWE-639 5.3 Medium2026-03-13
CVE-2026-2890 Formidable Forms <= 6.28 - Missing Authorization to Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse — Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form BuilderCWE-862 7.5 High2026-03-13
CVE-2026-3045 Appointment Booking Calendar <= 1.6.9.29 - Missing Authorization to Unauthenticated Sensitive Information Exposure via Settings REST API Endpoint — Appointment Booking Calendar — Simply Schedule Appointments Booking PluginCWE-862 7.5 High2026-03-13
CVE-2026-3891 Pix for WooCommerce <= 1.5.0 - Unauthenticated Arbitrary File Upload — Pix for WooCommerceCWE-434 9.8 Critical2026-03-13
CVE-2026-22216 wpDiscuz before 7.6.47 - No Rate Limiting on Subscription Endpoints with LIKE Wildcard Bypass — wpDiscuzCWE-799 6.5 Medium2026-03-13
CVE-2026-22199 Voltronic Power SNMP Web Pro 1.1 Path Traversal via upload.cgi — SNMP Web ProCWE-22 7.5 High2026-03-13
CVE-2026-22192 Voltronic Power SNMP Web Pro 1.1 Authentication Bypass via localStorage — SNMP Web ProCWE-306 9.9 Critical2026-03-13
CVE-2026-22182 wpDiscuz before 7.6.47 - Unauthenticated Email Notification Flood via wpdCheckNotificationType — wpDiscuzCWE-862 7.5 High2026-03-13
CVE-2026-32319 Ella Core: Unauthenticated AMF DoS via malformed InitialUEMessage with undersized integrity-protected NAS payload — coreCWE-125 7.5 High2026-03-12
CVE-2026-32301 Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL — centrifugoCWE-918 9.3 Critical2026-03-12
CVE-2026-3611 Honeywell IQ4x BMS Controller Missing authentication for critical function — IQ4ECWE-306 10.0 Critical2026-03-12
CVE-2026-32248 Parse Server: Account takeover via operator injection in authentication data identifier — parse-serverCWE-943 7.4AIHighAI2026-03-12
CVE-2026-32138 NEXULEAN API Key Leak — websiteCWE-284 8.2 High2026-03-12

Vulnerabilities classified as access:pre-auth represent 19070 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.