Namelessmc Nameless vulnerabilities
20 known vulnerabilities affecting namelessmc/nameless.
Total CVEs
20
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH6MEDIUM13
Vulnerabilities
Page 1 of 1
CVE-2025-22144P2CRITICALCVSS 9.8fixed in 2.1.3≤ 2.1.22025-01-13
CVE-2025-22144 [CRITICAL] CWE-610 CVE-2025-22144: NamelessMC is a free, easy to use & powerful website software for Minecraft servers. A user with adm
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. A user with admincp.core.emails or admincp.users.edit permissions can validate users and an attacker can reset their password. When the account is successfully approved by email the reset code is NULL, but when the account is manually validated by a user with admi
nvd
CVE-2026-40314P3MEDIUMCVSS 6.9v= 2.2.42026-06-02
CVE-2026-40314 [MEDIUM] CWE-862 CVE-2026-40314: NamelessMC is website software for Minecraft servers. In version 2.2.4,`core/classes/Misc/ProfilePos
NamelessMC is website software for Minecraft servers. In version 2.2.4,`core/classes/Misc/ProfilePostReactionContext.php` only verifies that the wall post exists and does not enforce blocked/private-profile visibility. `modules/Core/queries/reactions.php` allows unauthenticated GET requests for reaction details. This means that unauthenticated visit
nvd
CVE-2022-2821P3HIGHCVSS 7.5fixed in 2.0.22022-08-15
CVE-2022-2821 [HIGH] CWE-304 CVE-2022-2821: Missing Critical Step in Authentication in GitHub repository namelessmc/nameless prior to v2.0.2.
Missing Critical Step in Authentication in GitHub repository namelessmc/nameless prior to v2.0.2.
nvd
CVE-2025-29784P3HIGHCVSS 7.5fixed in 2.2.02025-04-18
CVE-2025-29784 [HIGH] CWE-20 CVE-2025-29784: NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, the s parameter in GET requests for forum search functionality lacks length validation, allowing attackers to submit excessively long search queries. This oversight can lead to performance degradation and potential denial-of-service (DoS) at
nvd
CVE-2025-32389P3MEDIUMCVSS 6.5fixed in 2.1.42025-04-18
CVE-2025-32389 [MEDIUM] CWE-89 CVE-2025-32389: NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Prior to versio
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Prior to version 2.1.4, NamelessMC is vulnerable to SQL injection by providing an unexpected square bracket GET parameter syntax. Square bracket GET parameter syntax refers to the structure `?param[0]=a¶m[1]=b¶m[2]=c` utilized by PHP, which is parsed by PHP as `$_GET
nvd
CVE-2025-31118P3HIGHCVSS 7.1fixed in 2.2.02025-04-18
CVE-2025-31118 [HIGH] CWE-400 CVE-2025-31118: NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, forum quick reply feature (view_topic.php) does not implement any spam prevention mechanism. This allows authenticated users to continuously post replies without any time restriction, resulting in an uncontrolled surge of posts that can dis
nvd
CVE-2025-30158P3HIGHCVSS 7.1fixed in 2.2.02025-04-18
CVE-2025-30158 [HIGH] CWE-400 CVE-2025-30158: NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, the forum allows users to post iframe elements inside forum topics/comments/feed with no restriction on the iframe's width and height attributes. This allows an authenticated attacker to perform a UI-based denial of service (DoS) by injecti
nvd
CVE-2026-33398P3HIGHCVSS 7.1v= 2.2.42026-06-02
CVE-2026-33398 [HIGH] CWE-285 CVE-2026-33398: NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/pages/forum/g
NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/pages/forum/get_quotes.php` only checks whether the caller is logged in, then reads a post by attacker-controlled `post` ID and returns its content. The backend helper in `modules/Forum/classes/Forum.php` does not enforce forum or topic ACLs. In contrast, the normal
nvd
CVE-2022-2820P3HIGHCVSS 8.2fixed in 2.0.22022-08-15
CVE-2022-2820 [HIGH] CWE-384 CVE-2022-2820: Session Fixation in GitHub repository namelessmc/nameless prior to v2.0.2.
Session Fixation in GitHub repository namelessmc/nameless prior to v2.0.2.
nvd
CVE-2026-35447P3MEDIUMCVSS 5.3v= 2.2.42026-06-02
CVE-2026-35447 [MEDIUM] CWE-201 CVE-2026-35447: NamelessMC is website software for Minecraft servers. In version 2.2.4, the profile page (modules/Co
NamelessMC is website software for Minecraft servers. In version 2.2.4, the profile page (modules/Core/pages/profile.php) processes wall post submissions and replies before verifying whether the viewer is authorized to access the profile. This allows any user with the profile.post permission to write wall posts to private or blocking profiles. Addit
nvd
CVE-2025-30357P4MEDIUMCVSS 6.8fixed in 2.2.02025-04-18
CVE-2025-30357 [MEDIUM] CWE-706 CVE-2025-30357: NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, if a malicious user is leaving spam comments on many topics then an administrator, unable to manually remove each spam comment, may delete the malicious account. Once an administrator deletes the malicious user's account, all their posts
nvd
CVE-2026-35443P4MEDIUMCVSS 5.3v= 2.2.42026-06-02
CVE-2026-35443 [MEDIUM] CWE-862 CVE-2026-35443: NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/classes/Forum
NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/classes/ForumPostReactionContext.php` only verifies that the caller can view the forum, but it does not re-enforce topic-level `view_other_topics` authorization. As a result, in forums where users may enter the forum but may only view their own topics, reactions c
nvd
CVE-2026-40571P4MEDIUMCVSS 5.3v= 2.2.42026-06-02
CVE-2026-40571 [MEDIUM] CWE-862 CVE-2026-40571: NamelessMC is website software for Minecraft servers. In version 2.2.4, `core/classes/Misc/ProfilePo
NamelessMC is website software for Minecraft servers. In version 2.2.4, `core/classes/Misc/ProfilePostReactionContext.php` only verifies that the wall post exists and does not enforce blocked/private-profile visibility. This means that authenticated low-privileged users can add reactions to private or blocking profile posts. Version 2.2.5 contains a
nvd
CVE-2026-34460P4MEDIUMCVSS 5.4fixed in 2.2.52026-06-02
CVE-2026-34460 [MEDIUM] CWE-302 CVE-2026-34460: NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callbac
NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause a victim's browser to navigate to it, resulting in the
nvd
CVE-2025-54118P4MEDIUMCVSS 5.3fixed in 2.2.42025-08-18
CVE-2025-54118 [MEDIUM] CWE-200 CVE-2025-54118: NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Sensitive infor
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Sensitive information disclosure in NamelessMC before 2.2.4 allows unauthenticated remote attacker to gain sensitive information such as absolute path of the source code via list parameter. This vulnerability is fixed in 2.2.4.
nvd
CVE-2025-31120P4MEDIUMCVSS 5.3fixed in 2.2.02025-04-18
CVE-2025-31120 [MEDIUM] CWE-565 CVE-2025-31120: NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, an insecure view count mechanism in the forum page allows an unauthenticated attacker to artificially increase the view count. The application relies on a client-side cookie (nl-topic-[tid]) (or session variable for guests) to determine i
nvd
CVE-2025-22142P4MEDIUMCVSS 5.4fixed in 2.1.3≤ 2.1.22025-01-13
CVE-2025-22142 [MEDIUM] CWE-79 CVE-2025-22142: NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In affected ver
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In affected versions an admin can add the ability to have users fill out an additional field and users can inject javascript code into it that would be activated once a staffer visits the user's profile on staff panel. As a result an attacker can execute javascript c
nvd
CVE-2025-54421P4MEDIUMCVSS 5.4fixed in 2.2.42025-08-18
CVE-2025-54421 [MEDIUM] CWE-79 CVE-2025-54421: NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Cross-site scri
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Cross-site scripting (XSS) vulnerability in NamelessMC before 2.2.4 allows remote authenticated attackers to inject arbitrary web script or HTML via the default_keywords crafted parameter. This vulnerability is fixed in 2.2.4.
nvd
CVE-2025-54117P4MEDIUMCVSS 5.4fixed in 2.2.42025-08-18
CVE-2025-54117 [MEDIUM] CWE-79 CVE-2025-54117: NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Cross-site scri
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Cross-site scripting (XSS) vulnerability in NamelessMC before 2.2.3 allows remote authenticated attackers to inject arbitrary web script or HTML via the dashboard text editor component. This vulnerability is fixed in 2.2.4.
nvd
CVE-2026-32250P4MEDIUMCVSS 4.3v= 2.2.42026-06-02
CVE-2026-32250 [MEDIUM] CWE-79 CVE-2026-32250: NamelessMC is website software for Minecraft servers. A Reflected Cross-Site Scripting (XSS) vulnera
NamelessMC is website software for Minecraft servers. A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in version 2.2.4 in the id parameter of the endpoint `/index.php?route=/queries/user/`. The application reflects user-supplied input from the id parameter into the HTML response without proper sanitization or output encoding. An a
nvd