Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19853

19853 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-23813 Authentication Bypass in Web Interface allows Unauthenticated Admin Password Reset — AOS-CX 9.8 Critical2026-03-11
CVE-2025-12473 RTMKit <= 1.6.8 - Reflected Cross-Site Scripting via 'themebuilder' Parameter — RTMKitCWE-79 6.1 Medium2026-03-11
CVE-2026-1781 MC4WP: Mailchimp for WordPress <= 4.11.1 - Missing Authorization to Unauthenticated Arbitrary Subscription Deletion — MC4WP: Mailchimp for WordPressCWE-862 6.5 Medium2026-03-11
CVE-2026-2324 LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-352 6.1 Medium2026-03-11
CVE-2026-28807 Path Traversal in wisp.serve_static allows arbitrary file read — wispCWE-22 7.5AIHighAI2026-03-10
CVE-2026-31824 Sylius has a Promotion Usage Limit Bypass via Race Condition — SyliusCWE-362 8.2 High2026-03-10
CVE-2026-31821 Sylius is Missing Authorization in API v2 Add Item Endpoint — SyliusCWE-862 5.3AIMediumAI2026-03-10
CVE-2026-31819 Sylius has an Open Redirect via Referer Header — SyliusCWE-601 6.1AIMediumAI2026-03-10
CVE-2026-31812 Quinn affected by unauthenticated remote DoS via panic in QUIC transport parameter parsing — quinnCWE-248 7.5 -2026-03-10
CVE-2026-31809 SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS — siyuanCWE-79 5.4AIMediumAI2026-03-10
CVE-2026-31807 SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS — siyuanCWE-79 6.1AIMediumAI2026-03-10
CVE-2026-30965 Parse Server session token exfiltration via `redirectClassNameForKey` query parameter — parse-serverCWE-863 8.1AIHighAI2026-03-10
CVE-2026-30947 Parse Server ha a bypass of class-level permissions in LiveQuery — parse-serverCWE-863 7.5AIHighAI2026-03-10
CVE-2026-30946 Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API — parse-serverCWE-770 7.5AIHighAI2026-03-10
CVE-2026-29792 Feathersjs has an OAuth Callback Account Takeover — feathersCWE-287 8.2AIHighAI2026-03-10
CVE-2026-29113 Craft has a potential information disclosure vulnerability in preview tokens — cmsCWE-352 6.5AIMediumAI2026-03-10
CVE-2026-28495 GetSimple CMS has CSRF to Remote Code Execution via Arbitrary PHP Write in gsconfig.php — GetSimpleCMS-CECWE-352 9.7 Critical2026-03-10
CVE-2026-27826 MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers — mcp-atlassianCWE-918 8.2 High2026-03-10
CVE-2025-13901 Schneider Electric多款产品 安全漏洞 — Modicon M241/M251CWE-404 5.3AIMediumAI2026-03-10
CVE-2026-30958 OneUptime: Path Traversal — Arbitrary File Read (No Auth) — oneuptimeCWE-22 7.2 High2026-03-10
CVE-2025-54659 Fortinet FortiSOAR Agent Communication Bridge 路径遍历漏洞 — FortiSOAR Agent Communication BridgeCWE-22 5.5 Medium2026-03-10
CVE-2026-24017 Fortinet FortiWeb 安全漏洞 — FortiWebCWE-799 7.3 High2026-03-10
CVE-2026-25972 Fortinet FortiSIEM 跨站脚本漏洞 — FortiSIEMCWE-79 4.1 Medium2026-03-10
CVE-2025-68482 Fortinet FortiManager和Fortinet FortiAnalyzer 信任管理问题漏洞 — FortiAnalyzerCWE-295 6.3 Medium2026-03-10
CVE-2025-48840 Fortinet FortiWeb 安全漏洞 — FortiWebCWE-290 5.0 Medium2026-03-10
CVE-2026-22627 Fortinet FortiSwitchAXFixed 安全漏洞 — FortiSwitchAXFixedCWE-120 7.7 High2026-03-10
CVE-2025-54820 Fortinet FortiManager 安全漏洞 — FortiManagerCWE-121 7.0 High2026-03-10
CVE-2026-30941 Parse Server has a NoSQL injection via token type in password reset and email verification endpoints — parse-serverCWE-943 9.8AICriticalAI2026-03-10
CVE-2026-30939 Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution — parse-serverCWE-1321 7.5AIHighAI2026-03-10
CVE-2026-2742 Unauthorized session creation via reserved framework path access — vaadinCWE-284 9.1AICriticalAI2026-03-10

Vulnerabilities classified as access:pre-auth represent 19853 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.