Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 20217

20217 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-39324 Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization — rack-sessionCWE-287 7.4AIHighAI2026-04-07
CVE-2026-39321 Parse Server has a login timing side-channel reveals user existence — parse-serverCWE-208 4.8AIMediumAI2026-04-07
CVE-2026-39337 ChurchCRM Affected by Unauthenticated RCE in Install Wizard — CRMCWE-94 10.0 Critical2026-04-07
CVE-2026-39339 ChurchCRM has an API Authentication Bypass — CRMCWE-284 9.1 Critical2026-04-07
CVE-2026-22680 OpenViking < 0.3.3 Missing Authorization via Task Polling — OpenVikingCWE-862 5.3 Medium2026-04-07
CVE-2026-39312 Pre-Auth EAP-TLS DoS on SoftEther VPN Developer Edition — SoftEtherVPNCWE-789 7.5 High2026-04-07
CVE-2025-14944 Backup Migration <= 2.0.0 - Missing Authorization to Unauthenticated Backup Upload to Offline Storage — BackupBliss – Backup & Migration with Free Cloud StorageCWE-862 5.3 Medium2026-04-07
CVE-2026-35604 File Browser share links remain accessible after Share/Download permissions are revoked — filebrowserCWE-863 4.3AIMediumAI2026-04-07
CVE-2026-35584 FreeScout has an Unauthenticated IDOR in Open Tracking Endpoint Allows Cross-Conversation Thread Manipulation and Enumeration — freescoutCWE-306 8.2AIHighAI2026-04-07
CVE-2026-35526 Strawberry GraphQL affected by a Denial of Service via unbounded WebSocket subscriptions — strawberryCWE-770 7.5 High2026-04-07
CVE-2026-35487 text-generation-webui has a Path Traversal in load_prompt() — .txt file read without authentication — text-generation-webuiCWE-22 5.3 Medium2026-04-07
CVE-2026-35485 text-generation-webui has a Path Traversal in load_grammar() — arbitrary file read without authentication — text-generation-webuiCWE-22 7.5 High2026-04-07
CVE-2026-35484 text-generation-webui has a Path Traversal in load_preset() — .yaml file read without authentication — text-generation-webuiCWE-22 5.3 Medium2026-04-07
CVE-2026-35483 text-generation-webui has a Path Traversal in load_template() — .jinja/.yaml/.yml file read without authentication — text-generation-webuiCWE-22 5.3 Medium2026-04-07
CVE-2026-35457 libp2p-rust has unbounded rendezvous DISCOVER cookies enable remote memory exhaustion — rust-libp2pCWE-770 8.2 High2026-04-07
CVE-2026-22679 Weaver E-cology 10.0 Unauthenticated RCE via dubboApi Debug Endpoint — E-cologyCWE-306 9.8 Critical2026-04-07
CVE-2021-4473 Tianxin Internet Behavior Management System Command Injection via toQuery.php — Tianxin Internet Behavior Management SystemCWE-78 9.8 Critical2026-04-07
CVE-2026-28808 ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch) — OTPCWE-863 9.8AICriticalAI2026-04-07
CVE-2026-31842 Tinyproxy HTTP request parsing desynchronization via case-sensitive Transfer-Encoding handling — TinyproxyCWE-444 7.5 High2026-04-07
CVE-2026-4420 Stored XSS via Page Creating functionality in Bludit — BluditCWE-79 5.4AIMediumAI2026-04-07
CVE-2026-3177 Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.9.7 - Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook — Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & MoreCWE-345 5.3 Medium2026-04-07
CVE-2026-1900 Link Whisper Free < 0.9.1 - Unauthenticated Settings and User Meta Update — Link Whisper Free 5.3AIMediumAI2026-04-07
CVE-2025-15611 Popup Box AYS Pro < 5.5.0 - Admin+ Stored Cross-Site Scripting (XSS) via CSRF — Popup Box 7.1AIHighAI2026-04-07
CVE-2026-0740 Ninja Forms - File Upload <= 3.3.26 - Unauthenticated Arbitrary File Upload — Ninja Forms - File UploadsCWE-434 9.8 Critical2026-04-07
CVE-2025-56015 GenieACS 安全漏洞 — n/a 9.8AICriticalAI2026-04-07
CVE-2026-31271 production_ssm 安全漏洞 — n/a 9.8AICriticalAI2026-04-07
CVE-2026-31272 MRCMS 安全漏洞 — n/a 9.8AICriticalAI2026-04-07
CVE-2026-35449 WWBN AVideo has Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php — AVideoCWE-200 5.3 Medium2026-04-06
CVE-2026-35413 Directus GraphQL Schema SDL Disclosure Setting — directusCWE-200 5.3 Medium2026-04-06
CVE-2026-22675 OCS Inventory NG Server Stored XSS via User-Agent — OCS Inventory NG ServerCWE-79 5.4 Medium2026-04-06

Vulnerabilities classified as access:pre-auth represent 20217 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.