NamelessMC: Forum reactions bypass the “view own topics only” restriction

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Description

NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/classes/ForumPostReactionContext.php` only verifies that the caller can view the forum, but it does not re-enforce topic-level `view_other_topics` authorization. As a result, in forums where users may enter the forum but may only view their own topics, reactions can still be read and modified on other users' topics. Version 2.2.5 fixes the issue.

Basic Information

ID CVE-2026-35443

Source GitHub_M

Published Jun 2, 2026 at 15:50

Modified Jun 2, 2026 at 18:08

Affected Product

Vendor NamelessMC

Product Nameless

Version = 2.2.4

Affected Versions NamelessMC Nameless = 2.2.4

CWE Classification

CWE-862

References

github.com /NamelessMC/Nameless/security/advisories/GHSA-wcrf-5gcp-pf64

{
    "lastseen": "",
    "description": "NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/classes/ForumPostReactionContext.php` only verifies that the caller can view the forum, but it does not re-enforce topic-level `view_other_topics` authorization. As a result, in forums where users may enter the forum but may only view their own topics, reactions can still be read and modified on other users' topics. Version 2.2.5 fixes the issue.",
    "published": "2026-06-02T15:50:06.670Z",
    "modified": "2026-06-02T18:08:08.554Z",
    "type": "cve",
    "title": "NamelessMC: Forum reactions bypass the \"view own topics only\" restriction",
    "source": "GitHub_M",
    "references": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-wcrf-5gcp-pf64",
    "id": "CVE-2026-35443",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "NamelessMC Nameless = 2.2.4",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Nameless",
    "version": "= 2.2.4",
    "vendor": "NamelessMC",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

NamelessMC: Forum reactions bypass the “view own topics only” restriction_CVE-2026-35443