Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

access:pre-auth — CVE vulnerabilities tagged 21204

21204 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-9074 IBM API Connect SQL Injection — API ConnectCWE-89 9.1 Critical2026-07-08
CVE-2026-59702 repomix - Server-Side Request Forgery via Unvalidated Repository URLs in POST /api/pack — repomixCWE-918 9.3 Critical2026-07-08
CVE-2026-55761 Portainer: Unauthenticated Restore Endpoint Allows Admin Takeover on Uninitialised Portainer Instances — portainerCWE-287--2026-07-08
CVE-2026-59703 repomix - Local File Inclusion via file:// URL Scheme in Git Clone Endpoint — repomixCWE-552 7.5 High2026-07-08
CVE-2026-60092 AVideo - Stored Cross-Site Scripting via Unescaped User-Agent in Participants Panel — AVideoCWE-79 6.1 Medium2026-07-08
CVE-2026-58656 Grav API Plugin - Cross-Origin Admin Account Takeover via CORS Wildcard and JWT Query Parameter — gravCWE-598 7.5 High2026-07-08
CVE-2026-56284 Capgo - Unauthenticated Metrics Disclosure via get_total_metrics RPC — capgoCWE-200 5.3 Medium2026-07-08
CVE-2026-56226 Capgo - Unauthenticated Organization Data Disclosure via get_orgs_v6 RPC — capgoCWE-200 7.5 High2026-07-08
CVE-2026-56220 Capgo - Unauthorized Manifest Insertion via Read-Only Org Member — CapgoCWE-863 6.5 Medium2026-07-08
CVE-2026-53482 Dell PowerProtect 整数溢出致拒绝服务 — PowerProtect Data DomainCWE-190 7.5 High2026-07-08
CVE-2026-41122 Dell PowerProtect Data Domain存储型XSS漏洞 — PowerProtect Data DomainCWE-79 7.1 High2026-07-08
CVE-2026-54061 Dgraph Alpha group stores can be replaced via unauthenticated external snapshot import — dgraphCWE-306 9.1 Critical2026-07-08
CVE-2026-58480 Blocksy Companion Pro < 2.1.47 Unauthenticated File Upload via save_attachments — Blocksy CompanionCWE-434 9.8 Critical2026-07-08
CVE-2026-6820 VikBooking Hotel Booking Engine & PMS <= 1.8.8 - Unauthenticated Stored Cross-Site Scripting via Booking Form Email Field — VikBooking Hotel Booking Engine & PMSCWE-79 7.2 High2026-07-08
CVE-2026-12002 Smash Balloon Social Photo Feed – Easy Social Feeds Plugin <= 6.11.1 - Cross-Site Request Forgery to oEmbed Access Token Overwrite via 'sbi_access_token' Parameter — Smash Balloon Social Photo Feed – Easy Social Feeds PluginCWE-352 4.7 Medium2026-07-08
CVE-2026-5459 User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.1 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Subscription Overwrite — User Frontend: AI Powered Frontend Posting, User Directory, Profile Builder, Membership & User RegistrationCWE-639 5.3 Medium2026-07-08
CVE-2026-5356 LatePoint - Calendar Booking Plugin for Appointments and Events <= 5.4.0 - Unauthenticated Stripe PaymentIntent Amount-Binding Bypass — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-862 7.5 High2026-07-08
CVE-2026-41042 Apache Gravitino: Unauthenticated callers can supply a malicious H2 JDBC URL through the testConnection API, which executes arbitrary Java code on the server via H2's INIT parameter — Apache GravitinoCWE-20--2026-07-08
CVE-2026-6854 My Calendar <= 3.7.8 - Unauthenticated SQL Injection via 'mc_auth' and 'mc_host' Parameters — My Calendar – Accessible Event ManagerCWE-89 7.5 High2026-07-08
CVE-2026-14250 Themehunk Login Registration <= 1.0.2 - Unauthenticated Privilege Escalation via 'role' Parameter — TH Login RegistrationCWE-269 6.3 Medium2026-07-08
CVE-2026-6818 VikBooking Hotel Booking Engine & PMS <= 1.8.8 - Unauthenticated Stored Cross-Site Scripting via 'special_requests' Parameter — VikBooking Hotel Booking Engine & PMSCWE-79 7.2 High2026-07-08
CVE-2026-6230 Tainacan <= 1.0.3 - Unauthenticated SQL Injection via 'geoquery' REST API Parameter — TainacanCWE-89 7.5 High2026-07-08
CVE-2026-12378 BookingPress <= 1.1.28 - Unauthenticated PHP Object Injection — Appointment Booking Calendar Plugin and Scheduling Plugin--2026-07-08
CVE-2026-14500 Bulk Order Update for WooCommerce <= 1.6 - Unauthenticated Arbitrary File Read via 'csv_url' Parameter — Bulk Order Update for WooCommerceCWE-22 5.3 Medium2026-07-08
CVE-2026-9731 Wp Js Detect <= 1.0.9 - Cross-Site Request Forgery to Plugin Settings Update — Wp Js DetectCWE-352 4.3 Medium2026-07-08
CVE-2026-9700 Eventer <= 4.4.2 - Unauthenticated SQL Injection via 'code' Parameter — EventerCWE-89 7.5 High2026-07-08
CVE-2026-12153 WP Learn Manager <= 1.1.8 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation and Activation via jslearnmanager_ajax AJAX Action — WP Learn ManagerCWE-862 9.8 Critical2026-07-08
CVE-2026-12097 User Management <= 1.2 - Missing Authorization to Unauthenticated Plugin Settings Modification — User ManagementCWE-862 5.3 Medium2026-07-08
CVE-2026-11798 Social Share, Social Login and Social Comments Plugin <= 7.14.5 - Reflected Cross-Site Scripting via 'heateor_mastodon_share' Parameter — Social Share, Social Login and Social Comments Plugin – Super SocializerCWE-79 6.1 Medium2026-07-08
CVE-2026-14495 DoLogin Security <= 4.3 - Unauthenticated Authentication Bypass via Insufficient Randomness via 'dologin' Parameter Weak PRNG Token — DoLogin SecurityCWE-338 8.8 High2026-07-08

Vulnerabilities classified as access:pre-auth represent 21204 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.