CVE-2025-54117

CRITICAL

Nameless < 2.2.4 - Basic XSS

Title source: rule

Description

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Cross-site scripting (XSS) vulnerability in NamelessMC before 2.2.3 allows remote authenticated attackers to inject arbitrary web script or HTML via the dashboard text editor component. This vulnerability is fixed in 2.2.4.

References (2)

[Exploit, Vendor Advisory] https://github.com/NamelessMC/Nameless/security/advisories/GHSA-gp3j-j84w-vqxx

[Patch] https://github.com/NamelessMC/Nameless/commit/0e77706b2966dd9f2e30502126d6581ecc001f09

View Patch ZIP pw:eip

Scores

CVSS v3 9.0

EPSS 0.0004

EPSS Percentile 12.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-80 CWE-79

Status published

Products (1)

namelessmc/nameless < 2.2.4

Published Aug 18, 2025

Tracked Since Feb 18, 2026