CVE-2026-35443

EPSS 0.24%
Veröffentlicht 02.06.2026 15:50:06
Zuletzt bearbeitet 02.06.2026 20:16:35
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

NamelessMC: Forum reactions bypass the "view own topics only" restriction

NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/classes/ForumPostReactionContext.php` only verifies that the caller can view the forum, but it does not re-enforce topic-level `view_other_topics` authorization. As a result, in forums where users may enter the forum but may only view their own topics, reactions can still be read and modified on other users' topics. Version 2.2.5 fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerNamelessMC

≫

Produkt Nameless

Version = 2.2.4

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.24%	0.142

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/NamelessMC/Nameless/security/advisories/GHSA-wcrf-5gcp-pf64

https://nvd.nist.gov/vuln/detail/CVE-2026-35443

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-35443

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-35443

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-35443