CVE-2026-35443

NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/classes/ForumPostReactionContext.php only verifies that the caller can view the forum, but it does not re-enforce topic-level viewothertopics authorization. As a result, in forums where users may enter the forum...

CVE-2026-40571 NamelessMC: Reactions on private or blocking profile posts can be modified without proper authorization

NamelessMC is website software for Minecraft servers. In version 2.2.4, core/classes/Misc/ProfilePostReactionContext.php only verifies that the wall post exists and does not enforce blocked/private-profile visibility. This means that authenticated low-privileged users can add reactions to private...

CVE-2026-40571 NamelessMC: Reactions on private or blocking profile posts can be modified without proper authorization

NamelessMC is website software for Minecraft servers. In version 2.2.4, core/classes/Misc/ProfilePostReactionContext.php only verifies that the wall post exists and does not enforce blocked/private-profile visibility. This means that authenticated low-privileged users can add reactions to private...

CVE-2026-40571

NamelessMC is website software for Minecraft servers. In version 2.2.4, core/classes/Misc/ProfilePostReactionContext.php only verifies that the wall post exists and does not enforce blocked/private-profile visibility. This means that authenticated low-privileged users can add reactions to private...

CVE-2026-40571

CVE-2026-40571 (NamelessMC) affects NamelessMC website software for Minecraft servers. In version 2.2.4, the file core/classes/Misc/ProfilePostReactionContext.php only verifies that the wall post exists and does not enforce blocked/private-profile visibility. As a result, authenticated low-privil...

CVE-2026-35447 NamelessMC: Private or blocking profile pages can be bypassed with direct POST requests, and reply handling allows cross-profile writes

NamelessMC is website software for Minecraft servers. In version 2.2.4, the profile page modules/Core/pages/profile.php processes wall post submissions and replies before verifying whether the viewer is authorized to access the profile. This allows any user with the profile.post permission to wri...

CVE-2026-35447

NamelessMC web software (Minecraft servers) is affected by CVE-2026-35447 in version 2.2.4. The flaw resides in the profile page (modules/Core/pages/profile.php), where wall post submissions and replies are processed before verifying the viewer’s authorization. This allows any user with the profi...

EUVD-2026-33982

NamelessMC is website software for Minecraft servers. In version 2.2.4, the profile page modules/Core/pages/profile.php processes wall post submissions and replies before verifying whether the viewer is authorized to access the profile. This allows any user with the profile.post permission to wri...

CVE-2026-35447

NamelessMC is website software for Minecraft servers. In version 2.2.4, the profile page modules/Core/pages/profile.php processes wall post submissions and replies before verifying whether the viewer is authorized to access the profile. This allows any user with the profile.post permission to wri...

CVE-2026-40314

NamelessMC is website software for Minecraft servers. In version 2.2.4,core/classes/Misc/ProfilePostReactionContext.php only verifies that the wall post exists and does not enforce blocked/private-profile visibility. modules/Core/queries/reactions.php allows unauthenticated GET requests for...

EUVD-2026-33976

NamelessMC is website software for Minecraft servers. In version 2.2.4,core/classes/Misc/ProfilePostReactionContext.php only verifies that the wall post exists and does not enforce blocked/private-profile visibility. modules/Core/queries/reactions.php allows unauthenticated GET requests for...

CVE-2026-35443 NamelessMC: Forum reactions bypass the "view own topics only" restriction

NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/classes/ForumPostReactionContext.php only verifies that the caller can view the forum, but it does not re-enforce topic-level viewothertopics authorization. As a result, in forums where users may enter the forum...

CVE-2026-35443

NamelessMC (website software for Minecraft servers) is affected in version 2.2.4. The vulnerability lies in modules/Forum/classes/ForumPostReactionContext.php, where topic-level view_other_topics authorization is not re-enforced, allowing reactions on other users’ topics to be read and modified. ...

EUVD-2026-33975

NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/classes/ForumPostReactionContext.php only verifies that the caller can view the forum, but it does not re-enforce topic-level viewothertopics authorization. As a result, in forums where users may enter the forum...

CVE-2026-35443 NamelessMC: Forum reactions bypass the "view own topics only" restriction

NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/classes/ForumPostReactionContext.php only verifies that the caller can view the forum, but it does not re-enforce topic-level viewothertopics authorization. As a result, in forums where users may enter the forum...

CVE-2026-34460 NamelessMC: OAuth callback `state` is not validated, allowing login CSRF / session swapping

NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause ...

CVE-2026-32250

NamelessMC is website software for Minecraft servers. A Reflected Cross-Site Scripting XSS vulnerability was discovered in version 2.2.4 in the id parameter of the endpoint /index.php?route=/queries/user/. The application reflects user-supplied input from the id parameter into the HTML response...

CVE-2026-32250

CVE-2026-32250 affects NamelessMC (Minecraft server website software). The issue is a Reflected XSS in the id parameter of the endpoint “/index.php?route=/queries/user/”. User input is echoed into the HTML response without proper sanitization/output encoding, enabling an attacker to inject JavaSc...

CVE-2026-32250 NamelessMC has Reflected Cross-Site Scripting (XSS) in id parameter of /index.php?route=/queries/user/

NamelessMC is website software for Minecraft servers. A Reflected Cross-Site Scripting XSS vulnerability was discovered in version 2.2.4 in the id parameter of the endpoint /index.php?route=/queries/user/. The application reflects user-supplied input from the id parameter into the HTML response...

CVE-2026-32250 NamelessMC has Reflected Cross-Site Scripting (XSS) in id parameter of /index.php?route=/queries/user/

NamelessMC is website software for Minecraft servers. A Reflected Cross-Site Scripting XSS vulnerability was discovered in version 2.2.4 in the id parameter of the endpoint /index.php?route=/queries/user/. The application reflects user-supplied input from the id parameter into the HTML response...