CVE-2026-40314
NamelessMC: Reactions on private or blocking profile posts can be read and modified without proper authorization
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
NamelessMC is website software for Minecraft servers. In version 2.2.4,`core/classes/Misc/ProfilePostReactionContext.php` only verifies that the wall post exists and does not enforce blocked/private-profile visibility. `modules/Core/queries/reactions.php` allows unauthenticated GET requests for reaction details. This means that unauthenticated visitors can read reaction participants and timestamps for private profile posts and uthenticated low-privileged users can add reactions to private or blocking profile posts. Version 2.2.5 fixes the issue.
| CWE | CWE-862 |
| Vendor | namelessmc |
| Product | nameless |
| Published | Jun 2, 2026 |
| Last Updated | Jun 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for namelessmc nameless
Be the first to know when new unknown vulnerabilities affecting namelessmc nameless are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
NamelessMC / Nameless
= 2.2.4