Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-35447— NamelessMC: Private or blocking profile pages can be bypassed with direct POST requests, and reply handling allows cross-profile writes

AI Predicted 5.3 Difficulty: Moderate

Possible ATT&CK Techniques 1AI

T1133 · External Remote Services

Affected Version Matrix 1

VendorProductVersion RangeStatus
NamelessMCNameless= 2.2.4affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-35447

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
NamelessMC: Private or blocking profile pages can be bypassed with direct POST requests, and reply handling allows cross-profile writes
Source: NVD (National Vulnerability Database)
Vulnerability Description
NamelessMC is website software for Minecraft servers. In version 2.2.4, the profile page (modules/Core/pages/profile.php) processes wall post submissions and replies before verifying whether the viewer is authorized to access the profile. This allows any user with the profile.post permission to write wall posts to private or blocking profiles. Additionally, the reply branch does not verify that the target wall post belongs to the current profile, enabling attackers to inject replies into arbitrary wall posts owned by other profiles via a restricted profile URL. This is patched in version 2.2.5.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过发送数据的信息暴露
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
NamelessMCNameless = 2.2.4 -

II. Public POCs for CVE-2026-35447

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-35447

登录查看更多情报信息。

Vendor Advisories for CVE-2026-35447 (1)

Same Patch Batch · NamelessMC · 2026-06-02 · 7 CVEs total

CVE-2026-344605.4 MEDIUMNamelessMC: OAuth callback `state` is not validated, allowing login CSRF / session swappin
CVE-2026-322504.3 MEDIUMNamelessMC has Reflected Cross-Site Scripting (XSS) in id parameter of /index.php?route=/q
CVE-2026-33398Authenticated users can read hidden forum posts through `/forum/get_quotes`
CVE-2026-35443NamelessMC: Forum reactions bypass the "view own topics only" restriction
CVE-2026-40314NamelessMC: Reactions on private or blocking profile posts can be read and modified withou
CVE-2026-40571NamelessMC: Reactions on private or blocking profile posts can be modified without proper

IV. Related Vulnerabilities

Same product: Nameless
Same vendor: NamelessMC
Same weakness: CWE-201

V. Comments for CVE-2026-35447

No comments yet

Leave a comment