Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

access:pre-auth — CVE vulnerabilities tagged 18816

18816 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

CVE IDTitleCVSSSeverityPublished
CVE-2026-3496 JetBooking <= 4.0.3 - Unauthenticated SQL Injection via 'check_in_date' Parameter — JetBookingCWE-89 7.5 High2026-03-11
CVE-2026-3178 Name Directory <= 1.32.1 - Unauthenticated Stored Cross-Site Scripting via 'name_directory_name' — Name DirectoryCWE-79 7.2 High2026-03-11
CVE-2026-3231 Checkout Field Editor (Checkout Manager) for WooCommerce <= 2.1.7 - Unauthenticated Stored Cross-Site Scripting via Block Checkout Custom Radio Field — Checkout Field Editor (Checkout Manager) for WooCommerceCWE-79 7.2 High2026-03-11
CVE-2026-1454 Responsive Contact Form Builder & Lead Generation Plugin <= 2.0.1 - Unauthenticated Stored Cross-Site Scripting — Lead Form Builder & Contact FormCWE-79 7.2 High2026-03-11
CVE-2026-3903 Modular Connector <= 2.5.1 - Cross-Site Request Forgery via postConfirmOauth — Modular DS: Monitor, update, and backup multiple websitesCWE-352 4.3 Medium2026-03-11
CVE-2026-1708 Appointment Booking Calendar <= 1.6.9.27 - Unauthenticated SQL Injection via 'append_where_sql' Parameter — Appointment Booking Calendar — Simply Schedule Appointments Booking PluginCWE-89 7.5 High2026-03-11
CVE-2026-3826 WellChoose|IFTOP - Local File Inclusion — IFTOPCWE-98 9.8 Critical2026-03-11
CVE-2026-2631 Datalogics Ecommerce Delivery < 2.6.60 - Unauthenticated Privilege Escalation — Datalogics Ecommerce Delivery 9.8AICriticalAI2026-03-11
CVE-2026-2626 Divi Booster < 5.0.2 - Unauthenticated PHP Object Injection — divi-booster 7.5AIHighAI2026-03-11
CVE-2026-1867 WP Front User Submit < 5.0.6 - Unauthenticated Sensitive Information Exposure — Guest posting / Frontend Posting / Front Editor 7.5AIHighAI2026-03-11
CVE-2026-3222 WP Maps <= 4.9.1 - Unauthenticated SQL Injection via 'location_id' Parameter — WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & FiltersCWE-89 7.5 High2026-03-11
CVE-2026-2413 Ally – Web Accessibility & Usability <= 4.0.3 - Unauthenticated SQL Injection via URL Path — Ally – Web Accessibility & UsabilityCWE-89 7.5 High2026-03-11
CVE-2026-23817 Unauthenticated Open Redirect allows URL Manipulation in Web Interface — AOS-CX 6.5 Medium2026-03-11
CVE-2026-23813 Authentication Bypass in Web Interface allows Unauthenticated Admin Password Reset — AOS-CX 9.8 Critical2026-03-11
CVE-2025-12473 RTMKit <= 1.6.8 - Reflected Cross-Site Scripting via 'themebuilder' Parameter — RTMKitCWE-79 6.1 Medium2026-03-11
CVE-2026-1781 MC4WP: Mailchimp for WordPress <= 4.11.1 - Missing Authorization to Unauthenticated Arbitrary Subscription Deletion — MC4WP: Mailchimp for WordPressCWE-862 6.5 Medium2026-03-11
CVE-2026-2324 LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-352 6.1 Medium2026-03-11
CVE-2026-28807 Path Traversal in wisp.serve_static allows arbitrary file read — wispCWE-22 7.5AIHighAI2026-03-10
CVE-2026-31824 Sylius has a Promotion Usage Limit Bypass via Race Condition — SyliusCWE-362 8.2 High2026-03-10
CVE-2026-31821 Sylius is Missing Authorization in API v2 Add Item Endpoint — SyliusCWE-862 5.3AIMediumAI2026-03-10
CVE-2026-31819 Sylius has an Open Redirect via Referer Header — SyliusCWE-601 6.1AIMediumAI2026-03-10
CVE-2026-31812 Quinn affected by unauthenticated remote DoS via panic in QUIC transport parameter parsing — quinnCWE-248 7.5 -2026-03-10
CVE-2026-31809 SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS — siyuanCWE-79 5.4AIMediumAI2026-03-10
CVE-2026-31807 SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS — siyuanCWE-79 6.1AIMediumAI2026-03-10
CVE-2026-30965 Parse Server session token exfiltration via `redirectClassNameForKey` query parameter — parse-serverCWE-863 8.1AIHighAI2026-03-10
CVE-2026-30947 Parse Server ha a bypass of class-level permissions in LiveQuery — parse-serverCWE-863 7.5AIHighAI2026-03-10
CVE-2026-30946 Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API — parse-serverCWE-770 7.5AIHighAI2026-03-10
CVE-2026-29792 Feathersjs has an OAuth Callback Account Takeover — feathersCWE-287 8.2AIHighAI2026-03-10
CVE-2026-29113 Craft has a potential information disclosure vulnerability in preview tokens — cmsCWE-352 6.5AIMediumAI2026-03-10
CVE-2026-28495 GetSimple CMS has CSRF to Remote Code Execution via Arbitrary PHP Write in gsconfig.php — GetSimpleCMS-CECWE-352 9.7 Critical2026-03-10

Vulnerabilities classified as access:pre-auth represent 18816 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.