Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 19704

19704 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-9732 EmergencyWP <= 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update — EmergencyWP – Dead Man's switch & legacy deliveranceCWE-352 4.3 Medium2026-06-02
CVE-2026-49144 BrowserStack Runner 0.9.5 Path Traversal via _default HTTP Handler — browserstack-runnerCWE-22 6.5 Medium2026-06-02
CVE-2026-49143 BrowserStack Runner 0.9.5 Unauthenticated RCE via /_log HTTP Handler — browserstack-runnerCWE-94 8.8 High2026-06-02
CVE-2026-5385 GLPI 11.0.0 - Stored XSS in knowledge base — glpiCWE-79--2026-06-02
CVE-2026-5073 ARMember Premium <= 7.3.1 - Unauthenticated SQL Injection via 'order' Parameter — ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signupCWE-89 7.5 High2026-06-02
CVE-2026-5076 ARMember Premium <= 7.3.1 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation — ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signupCWE-287 9.8 Critical2026-06-02
CVE-2026-40713 Dell ThinOS提权导致信息泄露 — ThinOS 10CWE-284 6.1 Medium2026-06-02
CVE-2026-40314 NamelessMC: Reactions on private or blocking profile posts can be read and modified without proper authorization — NamelessCWE-862--2026-06-02
CVE-2026-0611 Spacelabs Healthcare Sentinel 10.5.x < 11.6.0 Unauthenticated RCE via .NET Remoting — SentinelCWE-306 9.8 Critical2026-06-02
CVE-2026-45554 NiceGUI: Unauthenticated log-flood DoS via trailing slash on ESM and per-component resource routes — niceguiCWE-248 5.3 Medium2026-06-02
CVE-2026-10591 Kiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths — Kiro IDECWE-732 8.8 High2026-06-02
CVE-2026-45685 OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages — opentelemetry-ebpf-instrumentationCWE-20 7.5 High2026-06-02
CVE-2026-47117 OpenMed < 1.5.2 Remote Code Execution via PII Model Loading — openmedCWE-94 9.8 Critical2026-06-02
CVE-2026-10622 CVE-2026-10622 — Collibra Platform (on-prem)--2026-06-02
CVE-2019-25717 Dräger Infinity Delta/Kappa Patient Monitors Unauthenticated Log File Disclosure — Infinity DeltaCWE-538 4.3 Medium2026-06-02
CVE-2026-7312 CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity — Sitefinity 10.0 Critical2026-06-02
CVE-2026-7198 CWE-284: Improper Access Control in web services in Progress Sitefinity — SitefinityCWE-284 9.8 Critical2026-06-02
CVE-2026-7195 CWE-20: Improper Input Validation in web services in Progress Sitefinity — SitefinityCWE-20 8.8 High2026-06-02
CVE-2026-34906 Server-Side Template Injection (SSTI) in Wirtualna Uczelnia — Wirtualna UczelniaCWE-1336--2026-06-02
CVE-2026-1451 rognone <= 0.6.2 - Reflected Cross-Site Scripting via 'a' Parameter — rognoneCWE-79 6.1 Medium2026-06-02
CVE-2026-9722 Laiser Tag <= 1.2.5 - Cross-Site Request Forgery to Plugin Settings Update via Settings Form — Laiser TagCWE-352 4.3 Medium2026-06-02
CVE-2026-8422 Remove meta boxes per user role <= 1.01 - Cross-Site Request Forgery to Settings Update — Remove meta boxes per user roleCWE-352 4.3 Medium2026-06-02
CVE-2026-9730 Remove NoFollow Commenter URL <= 1.0 - Cross-Site Request Forgery to Settings Update — Remove NoFollow Commenter URLCWE-352 4.3 Medium2026-06-02
CVE-2026-9599 Tectite Forms <= 1.3 - Cross-Site Request Forgery to Settings Update — Tectite FormsCWE-352 4.3 Medium2026-06-02
CVE-2026-9723 Google Plus One Bottom <= 0.0.2 - Cross-Site Request Forgery to Plugin Settings Update via Settings Page — Google Plus One BottomCWE-352 4.3 Medium2026-06-02
CVE-2026-2425 hiWeb Migration Simple <= 2.0.0.1 - Reflected Cross-Site Scripting via 'new_domain' Parameter — hiWeb Migration SimpleCWE-79 6.1 Medium2026-06-02
CVE-2026-1450 rognone <= 0.6.2 - Reflected Cross-Site Scripting via 'mode' Parameter — rognoneCWE-79 6.1 Medium2026-06-02
CVE-2026-4071 BirdSeed <= 2.2.0 - Cross-Site Request Forgery via BirdSeed Token Change — BirdSeedCWE-352 4.3 Medium2026-06-02
CVE-2026-3514 Authentication Bypass in prefecthq/prefect — prefecthq/prefectCWE-863--2026-06-02
CVE-2026-8206 Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password' — Kirki – Freeform Page Builder, Website Builder & CustomizerCWE-269 9.8 Critical2026-06-02

Vulnerabilities classified as access:pre-auth represent 19704 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.