Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

access:pre-auth — CVE vulnerabilities tagged 21204

21204 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-20152 Cisco Secure Web Appliance Authentication Service Traffic Bypass Vulnerability — Cisco Secure Web ApplianceCWE-305 5.3 Medium2026-04-15
CVE-2026-5387 AVEVA Pipeline Simulation Missing Authorization — Pipeline Simulation 2025CWE-862 9.8 -2026-04-15
CVE-2026-1852 Product Pricing Table by WooBeWoo <= 1.1.0 - Cross-Site Request Forgery to Stored XSS and Pricing Table Deletion — Product Pricing Table by WooBeWooCWE-352 6.1 Medium2026-04-15
CVE-2026-33808 @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) — @fastify/expressCWE-436 9.1 -2026-04-15
CVE-2026-3643 Accessibly <= 3.0.3 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Widget Source Injection via REST API — Accessibly – WordPress Website AccessibilityCWE-79 7.2 High2026-04-15
CVE-2026-4091 OPEN-BRAIN <= 0.5.0 - Cross-Site Request Forgery — OPEN-BRAINCWE-352 6.1 Medium2026-04-15
CVE-2026-1782 MetForm Pro <= 3.9.7 - Unauthenticated Payment Amount Manipulation via 'mf-calculation' — MetForm ProCWE-20 5.3 Medium2026-04-15
CVE-2026-3461 Visa Acceptance Solutions <= 2.1.0 - Unauthenticated Authentication Bypass via Billing Email — Visa Acceptance SolutionsCWE-288 9.8 Critical2026-04-15
CVE-2026-4002 Petje.af <= 2.1.8 - Cross-Site Request Forgery to Account Deletion via 'petjeaf_disconnect' AJAX Action — Petje.afCWE-352 4.3 Medium2026-04-15
CVE-2026-5694 Quick Interest Slider <= 3.1.5 - Unauthenticated Stored Cross-Site Scripting — Quick Interest SliderCWE-79 7.2 High2026-04-15
CVE-2026-6293 Inquiry form to posts or pages <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'inq_header' Parameter — Inquiry form to posts or pagesCWE-352 4.3 Medium2026-04-15
CVE-2026-1555 WebStack <= 1.2024 - Unauthenticated Arbitrary File Upload — WebStackCWE-434 9.8 Critical2026-04-15
CVE-2026-4812 Advanced Custom Fields (ACF®) <= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters — Advanced Custom Fields (ACF®)CWE-862 5.3 Medium2026-04-15
CVE-2026-2834 Age Verification & Identity Verification by Token of Trust <= 3.32.3 - Unauthenticated Stored Cross-Site Scripting via 'description' Parameter — Age Verification & Identity Verification by Token of TrustCWE-79 7.2 High2026-04-15
CVE-2026-30994 Slah CMS 安全漏洞 — n/a 7.5 -2026-04-15
CVE-2026-1314 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery <= 1.16.17 - Missing Authorization to Unauthenticated Private/Draft Flipbook Data Exposure — 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image GalleryCWE-862 5.3 Medium2026-04-14
CVE-2026-35033 Jellyfin: Potential SSRF + Arbitrary file read via stream argument injection — jellyfinCWE-88 7.5 -2026-04-14
CVE-2026-34457 OAuth2 Proxy: Health Check User-Agent Matching Bypasses Authentication in auth_request Mode — oauth2-proxyCWE-290 9.1 Critical2026-04-14
CVE-2026-33146 Docmost's Public Share Search Exposes Metadata of Restricted Children — docmostCWE-285 4.3 Medium2026-04-14
CVE-2025-15565 Nexi XPay <= 8.3.0 - Missing Authorization to Unauthenticated Order Status Modification — Nexi XPayCWE-862 5.3 Medium2026-04-14
CVE-2026-39907 Unisys WebPerfect Image Suite 3.0 NTLMv2 Hash Leakage via WCF SOAP — WebPerfect Image SuiteCWE-73 9.8 -2026-04-14
CVE-2026-39906 Unisys WebPerfect Image Suite 3.0 NTLMv2 Hash Leakage via .NET Remoting — WebPerfect Image SuiteCWE-441 9.8 -2026-04-14
CVE-2026-34160 Chamilo LMS: Unauthenticated SSRF via PENS Plugin allows attacker to probe internal network and reach cloud metadata services — chamilo-lmsCWE-306 8.6 High2026-04-14
CVE-2026-33715 Chamilo LMS has Unauthenticated SSRF and Open Email Relay via install.ajax.php test_mailer action — chamilo-lmsCWE-306 7.2 High2026-04-14
CVE-2026-5756 Unauthenticated Configuration File Modification Vulnerability in DRC Central Office Services (COS) — Central Office Services - Content Hosting Component 9.8 -2026-04-14
CVE-2026-33096 HTTP.sys Denial of Service Vulnerability — Windows 11 version 22H3CWE-125 7.5 High2026-04-14
CVE-2026-22828 Fortinet FortiManager Cloud和Fortinet FortiAnalyzer Cloud 安全漏洞 — FortiAnalyzer CloudCWE-122 7.3 High2026-04-14
CVE-2026-23708 Fortinet FortiSOAR PaaS和Fortinet FortiSOAR on-premise 授权问题漏洞 — FortiSOAR PaaSCWE-287 6.7 High2026-04-14
CVE-2026-4832 Schneider Electric多款产品 信任管理问题漏洞 — Easergy MiCOM P14xCWE-798 7.5 -2026-04-14
CVE-2025-13822 Authentication bypass in MCPHub — MCPHubCWE-639 8.8 -2026-04-14

Vulnerabilities classified as access:pre-auth represent 21204 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.