Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19065

19065 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-6449 Booking for Appointments and Events Calendar – Amelia <= 2.1.2 - Unauthenticated Authorization Bypass via Remote Approval Endpoint — Booking for Appointments and Events Calendar – AmeliaCWE-285 5.3 Medium2026-05-02
CVE-2026-4650 FundPress <= 2.0.8 - Missing Authorization to Unauthenticated Arbitrary Donation Status Modification via donate_action_status AJAX Handler — FundPress – WordPress Donation PluginCWE-862 5.3 Medium2026-05-02
CVE-2026-7649 ARMember <= 4.0.60 - Unauthenticated SQL Injection via 'orderby' Parameter — ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signupCWE-89 7.5 High2026-05-02
CVE-2026-5110 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Single Product Field Inside Repeater — Gravity FormsCWE-79 7.2 High2026-05-02
CVE-2026-5111 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Hidden Product Field in Repeater — Gravity FormsCWE-79 7.2 High2026-05-02
CVE-2026-7647 Profile Builder Pro <= 3.14.5 - Unauthenticated PHP Object Injection — Profile Builder ProCWE-502 8.1 High2026-05-02
CVE-2026-5109 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Product Option — Gravity FormsCWE-79 7.2 High2026-05-02
CVE-2026-5112 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Calculation Product Field in Repeater — Gravity FormsCWE-79 7.2 High2026-05-02
CVE-2026-5113 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Consent Field Hidden Input — Gravity FormsCWE-79 7.2 High2026-05-02
CVE-2026-7049 PixelYourSite Pro <= 12.5.0.1 - Unauthenticated Blind Server-Side Request Forgery via 'urls[]' Parameter — PixelYourSite Pro – Your smart PIXEL (TAG) ManagerCWE-918 7.2 High2026-05-02
CVE-2026-4882 User Registration Advanced Fields <= 1.6.20 - Unauthenticated Arbitrary File Upload — User Registration Advanced FieldsCWE-434 9.8 Critical2026-05-02
CVE-2025-14726 Widgets for Social Photo Feed <= 1.8 - Missing Authentication to Unauthenticated Plugin Settings Access/Update via trustindex_feed_hook_instagram REST API endpoints — Widgets for Social Photo FeedCWE-200 6.5 Medium2026-05-02
CVE-2026-7458 User Verification by PickPlugins <= 2.0.46 - Unauthenticated Authentication Bypass via OTP Verification REST API Endpoint — User Verification by PickPluginsCWE-288 9.8 Critical2026-05-02
CVE-2026-39805 CL.CL HTTP request smuggling via duplicate Content-Length in bandit — banditCWE-444 9.1 -2026-05-01
CVE-2026-39804 WebSocket permessage-deflate inflate has no output-size cap in bandit — banditCWE-770 7.5 -2026-05-01
CVE-2026-39807 Client-supplied URI scheme trusted without transport verification in bandit — banditCWE-807 7.5 -2026-05-01
CVE-2026-42786 WebSocket fragmented message reassembly unbounded in bandit — banditCWE-770 7.5 -2026-05-01
CVE-2026-42788 HTTP/2 frame size limit checked after body is buffered in bandit — banditCWE-770 5.9 -2026-05-01
CVE-2026-43507 Prosody 安全漏洞 — ProsodyCWE-770 5.3 Medium2026-05-01
CVE-2026-43506 Prosody 安全漏洞 — ProsodyCWE-401 5.3 Medium2026-05-01
CVE-2026-43505 Prosody 安全漏洞 — ProsodyCWE-420 6.5 Medium2026-05-01
CVE-2026-43504 Prosody 安全漏洞 — ProsodyCWE-863 6.5 Medium2026-05-01
CVE-2026-31773 Bluetooth: SMP: derive legacy responder STK authentication from MITM state — Linux 8.8 High2026-05-01
CVE-2026-31712 ksmbd: require minimum ACE size in smb_check_perm_dacl() — Linux 8.3 High2026-05-01
CVE-2026-31711 smb: server: fix active_num_conn leak on transport allocation failure — Linux 7.5 High2026-05-01
CVE-2026-3143 Total Upkeep <= 1.17.1 - Missing Authorization to Unauthenticated Rollback Cancellation — Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGridCWE-862 5.3 Medium2026-05-01
CVE-2026-3140 Ultimate Dashboard <= 3.8.14 - Cross-Site Request Forgery to Module Activation/Deactivation — Ultimate Dashboard – Custom WordPress DashboardCWE-352 4.3 Medium2026-05-01
CVE-2026-3772 WP Editor <= 1.2.9.2 - Cross-Site Request Forgery to Remote Code Execution via Plugin and Theme File Editor — WP EditorCWE-352 8.8 High2026-05-01
CVE-2026-7567 Temporary Login <= 1.0.0 - Authentication Bypass to Account Takeover — Temporary LoginCWE-288 9.8 Critical2026-05-01
CVE-2024-13362 Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter — Go Fetch Jobs (for WP Job Manager)CWE-79 6.1 Medium2026-05-01

Vulnerabilities classified as access:pre-auth represent 19065 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.