EUVD-2026-33983

NamelessMC is website software for Minecraft servers. In version 2.2.4, core/classes/Misc/ProfilePostReactionContext.php only verifies that the wall post exists and does not enforce blocked/private-profile visibility. This means that authenticated low-privileged users can add reactions to private...

EUVD-2026-33976

NamelessMC is website software for Minecraft servers. In version 2.2.4,core/classes/Misc/ProfilePostReactionContext.php only verifies that the wall post exists and does not enforce blocked/private-profile visibility. modules/Core/queries/reactions.php allows unauthenticated GET requests for...

EUVD-2026-33960

NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause ...

MC-271325-PoC

Status trailing-byte log amplification MC-271325 Unauthenti...

EUVD-2018-17518

Malware in sbrugna...

PT-2025-33881 · Undefined · Undefined

ParsedReport CompletenessMedium 19-08-2025 The emergence of MountBot, which hides its processes https://blog.nicter.jp/2025/08/mountbot 2025aug/ Report completeness: Medium Threats: Mountbot Rapperbot Socat tool Victims: Iot devices, Online game servers, Minecraft servers, Asus wifi routers,...

CVE-2025-27107 Integrated Scripting vulnerable to arbitrary code execution via Java reflection

Integrated Scripting is a tool for creating scripts for handling complex operations in Integrated Dynamics. Minecraft users who use Integrated Scripting prior to versions 1.21.1-1.0.17, 1.21.4-1.0.9-254, 1.20.1-1.0.13, and 1.19.2-1.0.10 may be vulnerable to arbitrary code execution. By using Java...

CVE-2025-22144 Account Takeover in NamelessMC

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. A user with admincp.core.emails or admincp.users.edit permissions can validate users and an attacker can reset their password. When the account is successfully approved by email the reset code is NULL, but when t...

mrpack-install 路径遍历漏洞

mrpack-install is a cli application for installing Minecraft servers and Modrinth modpacks by Florian H. Individual developer. A security vulnerability exists in mrpack-install version 0.16.2 and earlier versions, which stems from the presence of a path traversal vulnerability...

MCCrash: Cross-platform DDoS botnet targets private Minecraft servers

Malware operations continue to rapidly evolve as threat actors add new capabilities to existing botnets, increasingly targeting and recruiting new types of devices. Attackers update malware to target additional operating systems, ranging from PCs to IoT devices, growing their infrastructure...

Minecraft Servers List Lite and Premium Minecraft Servers List Unauthenticated Upload Vulnerability

Minecraft Servers List Lite is a lite version of a set of scripts for displaying a list of Minecraft game servers.Premium Minecraft Servers List is its premium version. A security vulnerability in the install.php file in versions of Minecraft Servers List Lite prior to commit c1cd164 and Premium...

CVE-2018-5749

install.php in Minecraft Servers List Lite before commit c1cd164 and Premium Minecraft Servers List before 2.0.4 does not sanitize input before saving database connection information in connect.php, which might allow remote attackers to execute arbitrary PHP code via the 1 databaseserver, 2...

Code injection

install.php in Minecraft Servers List Lite before commit c1cd164 and Premium Minecraft Servers List before 2.0.4 does not sanitize input before saving database connection information in connect.php, which might allow remote attackers to execute arbitrary PHP code via the 1 databaseserver, 2...

CVE-2018-5749

CVE-2018-5749 affects Minecraft Servers List Lite (pre-commit c1cd164) and Premium Minecraft Servers List (pre-2.0.4). The root cause is failure to sanitize/filter database connection information before storing it in connect.php, enabling a remote attacker to execute arbitrary PHP code via the pa...