Skip to main content

NamelessMC CVE-2026-33398

| EUVD-2026-33949 HIGH
Improper Authorization (CWE-285)
2026-06-02 GitHub_M
PHP Authentication Bypass Nameless
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 02, 2026 - 18:06 vuln.today
CVSS changed
Jun 02, 2026 - 16:22 NVD
7.1 (HIGH)
CVE Published
Jun 02, 2026 - 15:19 nvd
UNKNOWN (no severity yet)

DescriptionGitHub Advisory

NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/pages/forum/get_quotes.php only checks whether the caller is logged in, then reads a post by attacker-controlled post ID and returns its content. The backend helper in modules/Forum/classes/Forum.php does not enforce forum or topic ACLs. In contrast, the normal topic page in modules/Forum/pages/forum/view_topic.php enforces forum visibility and view_other_topics. Any low-privileged authenticated user can enumerate post IDs and read content from hidden, private, or staff-only forums. Version 2.2.5 fixes the issue.

AnalysisAI

Broken access control in NamelessMC 2.2.4 (Minecraft community website software) allows any low-privileged authenticated user to read posts from hidden, private, or staff-only forums by sending crafted requests to the get_quotes.php endpoint. The Forum module's quote helper only verifies that the caller is logged in and fails to enforce forum/topic visibility ACLs that the normal topic view does enforce. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or use existing low-priv account
Delivery
Authenticate to NamelessMC site
Exploit
Send crafted request to get_quotes.php with target post ID
Execution
Bypass missing forum/topic ACL check
Persist
Receive hidden post content in response
Impact
Iterate IDs to enumerate private forums
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker needs any authenticated low-privileged NamelessMC account (CVSS PR:L) on a target site running version 2.2.4 with the standard Forum module enabled - the vulnerable endpoint is modules/Forum/pages/forum/get_quotes.php in the default Forum module shipped with core. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N scores this 7.1 (High) with confidentiality-only impact - accurately reflecting that an authenticated low-privileged user can read content but cannot modify or take down the server. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a normal account on a target NamelessMC 2.2.4 community (or uses an existing low-privilege account), authenticates, and then iterates POST or GET requests to modules/Forum/pages/forum/get_quotes.php supplying sequential or guessed post IDs. The server returns the full post body for each ID without checking whether the requesting account can see the parent forum or topic, exposing staff-only moderation threads, private ban appeals, and other restricted discussions. …
Remediation Vendor-released patch: upgrade NamelessMC to 2.2.5, which adds the missing forum and topic ACL enforcement in the Forum helper as described in advisory GHSA-2r6x-cv4f-h8fx (https://github.com/NamelessMC/Nameless/security/advisories/GHSA-2r6x-cv4f-h8fx). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all NamelessMC 2.2.4 instances in production; enable detailed logging on the get_quotes.php endpoint to establish baseline access and detect exploitation attempts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2026-33398 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy