目標達成 すべての支援者に感謝 — 100%達成しました!

目標: 1000 CNY · 調達済み: 1336 CNY

100%

access:pre-auth 标签下的 CVE 漏洞 20998

access:pre-auth 类型相关 20998 条 CVE 漏洞,含 AI 中文分析、CVSS、参考链接与 POC。

“access:pre-auth”标签标识了无需身份验证即可触发的漏洞,涵盖18971个CVE。此类漏洞之所以关键,是因为攻击者无需凭证即可直接利用,极大降低了攻击门槛并扩大了潜在受害面。典型场景包括远程代码执行、未授权数据访问及拒绝服务攻击,常见于配置错误的API接口、默认凭证服务或存在逻辑缺陷的认证前处理模块,对系统安全性构成直接且严重的威胁。

CVE IDタイトルCVSS深刻度公開日
CVE-2026-34834 Bulwark Webmail: Authentication Bypass in verifyIdentity() due to missing cookie validation — webmailCWE-287 8.2AIHighAI2026-04-02
CVE-2026-35383 Bentley Systems iTwin Platform exposed access token — iTwin PlatformCWE-540 6.5 Medium2026-04-02
CVE-2026-34759 OneUptime: Unauthenticated notification API endpoints - financial abuse via phone number purchase, service disruption, and SMTP credential exposure — oneuptimeCWE-862 8.2AIHighAI2026-04-02
CVE-2026-34758 OneUptime: Missing Authentication on Notification Endpoints — oneuptimeCWE-306 9.1 Critical2026-04-02
CVE-2026-34745 Unauthenticated Path Traversal Arbitrary File Write in /api/uploadChunked/public — fireshareCWE-22 9.1 Critical2026-04-02
CVE-2026-5429 Kiro IDE Webview Cross-Site Scripting via Workspace Color Theme — Kiro IDECWE-79 7.8 High2026-04-02
CVE-2026-34742 Model Context Protocol Go SDK: DNS Rebinding Protection Disabled by Default for Servers Running on Localhost — go-sdkCWE-1188 7.1AIHighAI2026-04-02
CVE-2026-34736 Open edX Platform: Account Activation Bypass via activation_key Exposure in REST API — openedx-platformCWE-287 5.3 Medium2026-04-02
CVE-2026-34598 YesWiki has Persistant Blind XSS at "/?BazaR&vue=consulter" — yeswikiCWE-79 6.1AIMediumAI2026-04-02
CVE-2026-34577 Postiz: Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check — postiz-appCWE-918 8.6 High2026-04-02
CVE-2026-34121 Authentication Bypass in DS Configuration Service via HTTP Request Parsing Differential of TP-Link Tapo C520WS — Tapo C520WS v2.6CWE-287 5.3AIMediumAI2026-04-02
CVE-2026-34523 SillyTavern: Path traversal allows file existence oracle — SillyTavernCWE-22 5.3 Medium2026-04-02
CVE-2026-34827 Rack: Algorithmic-Complexity DoS in Rack::Multipart::Parser — rackCWE-407 7.5 High2026-04-02
CVE-2026-34829 Rack: Denial of Service via Unbounded Multipart File Upload Without Content-Length — rackCWE-400 7.5 High2026-04-02
CVE-2026-34230 Rack: Quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header — rackCWE-400 5.3 Medium2026-04-02
CVE-2026-33951 signalk-server: Unauthenticated Source Priorities Manipulation — signalk-serverCWE-284 7.5AIHighAI2026-04-02
CVE-2026-33950 signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity — signalk-serverCWE-285 9.4 Critical2026-04-02
CVE-2026-34973 phpMyFAQ has a LIKE Wildcard Injection in Search.php — Unescaped % and _ Metacharacters Enable Broad Content Disclosure — phpMyFAQCWE-943 8.2AIHighAI2026-04-02
CVE-2026-32629 phpMyFAQ: Stored XSS via Unsanitized Email Field in Admin FAQ Editor — phpMyFAQCWE-20 6.1AIMediumAI2026-04-02
CVE-2026-26927 URL (HTTP Origin) call location spoofing in Szafir SDK Web — Szafir SDK WebCWE-348 8.1AIHighAI2026-04-02
CVE-2026-29782 OpenSTAManager: Remote Code Execution via Insecure Deserialization in OAuth2 — openstamanagerCWE-502 7.2 High2026-04-02
CVE-2026-2699 EAR vulnerability in Progress ShareFile Storage Zones Controller (SZC) — ShareFile Storage Zones ControllerCWE-698 9.8 Critical2026-04-02
CVE-2026-4282 Keycloak: keycloak: privilege escalation via forged authorization codes due to singleuseobjectprovider isolation flaw — Red Hat build of Keycloak 26.2CWE-653 7.4 High2026-04-02
CVE-2026-4634 Keycloak: keycloak: denial of service via excessive processing of openid connect scope parameters — Red Hat build of Keycloak 26.2CWE-1050 7.5 High2026-04-02
CVE-2026-32145 Multipart form body parser bypasses body size limits in wisp — wispCWE-770 7.5 -2026-04-02
CVE-2026-33617 MB connect line mbCONNECT24 vulnerable to an unauthenticated information disclosure in the data24 Endpoint — mbCONNECT24CWE-497 5.3 Medium2026-04-02
CVE-2026-33616 MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the mb24api Endpoint — mbCONNECT24CWE-89 7.5 High2026-04-02
CVE-2026-33615 MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the setinfo Endpoint — mbCONNECT24CWE-89 9.1 Critical2026-04-02
CVE-2026-33614 MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the getinfo endpoint — mbCONNECT24CWE-89 7.5 High2026-04-02
CVE-2026-5032 W3 Total Cache <= 2.9.3 - Unauthenticated Security Token Exposure via User-Agent Header — W3 Total CacheCWE-200 7.5 High2026-04-02

access:pre-auth 是常见的弱点类别,本平台收录该类弱点关联的 20998 条 CVE 漏洞。