Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19065

19065 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-26461 Aver PTC320UV2 命令注入漏洞 — n/a 9.8 -2026-05-01
CVE-2026-37526 Automotive Grade Linux app-framework-binder 访问控制错误漏洞 — n/a 7.8 High2026-05-01
CVE-2026-4503 Unauthenticated Insecure Direct Object Reference (IDOR) Vulnerability in Langflow Desktop Image Download Endpoint — Langflow DesktopCWE-639 7.5 High2026-04-30
CVE-2026-40912 Traefik: StripPrefixRegex auth bypass via Path/RawPath desync — traefikCWE-706 8.2 -2026-04-30
CVE-2026-40601 Chartbrew: Missing Authorization in /api/chart/:chart_id/query via team-level refresh toggle — chartbrewCWE-862 7.5 High2026-04-30
CVE-2026-40595 Chartbrew: Incorrect Access Control in public chart and export routes via missing onReport and SharePolicy checks — chartbrewCWE-284 7.5 High2026-04-30
CVE-2026-35514 Unauthenticated Account Registration via /user/invited Bypasses All Signup Restrictions in Chartbrew — chartbrewCWE-306 6.5 Medium2026-04-30
CVE-2025-51846 CryptPad unbounded WebSocket frame flood — CryptPadCWE-770 7.5 High2026-04-30
CVE-2022-50992 Weaver E-cology 9.5 Unauthenticated Arbitrary File Read via XmlRpcServlet — E-cologyCWE-22 7.5 High2026-04-30
CVE-2022-50993 Weaver E-office < 10.0_20221201 Unauthenticated Arbitrary File Read via XmlRpcServlet — E-officeCWE-434 9.8 Critical2026-04-30
CVE-2025-71284 Synway SMG Gateway Management Software OS Command Injection via radius_address — Synway SMG Gateway Management SoftwareCWE-78 9.8 Critical2026-04-30
CVE-2026-2892 Otter Blocks <= 3.1.4 - Improper Authorization to Unauthenticated Purchase Verification Bypass via Forged Cookie — Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSECWE-285 7.5 High2026-04-30
CVE-2024-13971 Arbitrary File Read and Server Side Request Forgery via XML External Entities in Lobster_pro — Lobster_proCWE-611 6.5 -2026-04-30
CVE-2026-6498 Five Star Restaurant Reservations <= 2.7.16 - Unauthenticated Payment Bypass via PHP Type Juggling in 'payment_id' Parameter — Five Star Restaurant Reservations – WordPress Booking PluginCWE-345 5.3 Medium2026-04-30
CVE-2026-22070 ColorOS Assistant Path Traversal Vulnerability — ColorOS AssistantCWE-23 7.1 High2026-04-30
CVE-2024-39847 Arbitrary File Read and Server Side Request Forgery via XML External Entities in 4D Server SOAP — 4D ServerCWE-611 9.1 -2026-04-30
CVE-2018-25318 Tenda FH303/A300 V5.07.68_EN Cookie Session Weakness DNS Change — FH303/A300CWE-290 9.8 Critical2026-04-29
CVE-2018-25317 Tenda W3002R/A302/W309R V5.07.64_en Cookie Session Weakness DNS Change — W3002RCWE-290 9.8 Critical2026-04-29
CVE-2018-25316 Tenda W308R v2 V5.07.48 Cookie Session Weakness DNS Change — WCWE-290 9.8 Critical2026-04-29
CVE-2018-25300 XATABoost CMS 1.0.0 SQL Injection via news.php — XATABoost CMSCWE-89 8.2 High2026-04-29
CVE-2026-28221 Wazuh: Pre-auth stack-based buffer overflow in wazuh-remoted print_hex_string() due to signed char promotion on x86_64 — wazuhCWE-121 6.5 Medium2026-04-29
CVE-2026-41940 WebPros cPanel and WHM Authentication Bypass via Login Flow — cPanelCWE-306 9.8 Critical2026-04-29
CVE-2026-2902 WP Meteor Website Speed Optimization Addon <= 3.4.16 - Unauthenticated Stored Cross-Site Scripting via Comment — WP Meteor Website Speed Optimization AddonCWE-79 6.1 Medium2026-04-29
CVE-2026-3325 SQL injection in MegaCMS by CRM Sistemas de Fidelización — MegaCMSCWE-89 9.8AICriticalAI2026-04-29
CVE-2026-42518 Information Disclosure Vulnerability in e-Sushrut HMIS — e-Sushrut, Hospital Management Information System (HMIS)CWE-321 9.1AICriticalAI2026-04-29
CVE-2026-4019 Complianz – GDPR/CCPA Cookie Consent <= 7.4.5 - Missing Authorization to Unauthenticated Private Post Content Disclosure via Consent Area REST Endpoint — Complianz – GDPR/CCPA Cookie ConsentCWE-862 5.3 Medium2026-04-29
CVE-2026-41405 OpenClaw < 2026.3.31 - Resource Exhaustion via Unauthenticated MS Teams Webhook Body Parsing — OpenClawCWE-408 7.5 High2026-04-28
CVE-2026-41399 OpenClaw < 2026.3.28 - Denial of Service via Unbounded Pre-auth WebSocket Upgrades — OpenClawCWE-770 7.5 High2026-04-28
CVE-2026-41394 OpenClaw < 2026.3.31 - Unauthorized Operator Scope Access in Unauthenticated Plugin-Auth Routes — OpenClawCWE-862 8.2 High2026-04-28
CVE-2026-41374 OpenClaw < 2026.3.31 - Resource Consumption via Discord Audio Preflight Before Member Authorization — OpenClawCWE-408 5.3 Medium2026-04-28

Vulnerabilities classified as access:pre-auth represent 19065 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.