CVE-2026-35443
MEDIUMNamelessMC: Forum reactions bypass the "view own topics only" restriction
Title source: cnaDescription
NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/classes/ForumPostReactionContext.php` only verifies that the caller can view the forum, but it does not re-enforce topic-level `view_other_topics` authorization. As a result, in forums where users may enter the forum but may only view their own topics, reactions can still be read and modified on other users' topics. Version 2.2.5 fixes the issue.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/NamelessMC/Nameless/security/advisories/GHSA-wcrf-5gcp-pf64
Scores
CVSS v4
5.3
EPSS
0.0024
EPSS Percentile
14.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (1)
NamelessMC/Nameless
= 2.2.4
Published
Jun 02, 2026
Tracked Since
Jun 02, 2026