CVE-2026-35443 | THREATINT

Description

NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/classes/ForumPostReactionContext.php` only verifies that the caller can view the forum, but it does not re-enforce topic-level `view_other_topics` authorization. As a result, in forums where users may enter the forum but may only view their own topics, reactions can still be read and modified on other users' topics. Version 2.2.5 fixes the issue.

PUBLISHED Reserved 2026-04-02 | Published 2026-06-02 | Updated 2026-06-02 | Assigner GitHub_M

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-862: Missing Authorization

Product status

= 2.2.4

affected

References

github.com/...meless/security/advisories/GHSA-wcrf-5gcp-pf64 exploit

github.com/...meless/security/advisories/GHSA-wcrf-5gcp-pf64

cve.org (CVE-2026-35443)

nvd.nist.gov (CVE-2026-35443)

Download JSON