Description
NamelessMC is website software for Minecraft servers. A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in version 2.2.4 in the id parameter of the endpoint `/index.php?route=/queries/user/`. The application reflects user-supplied input from the id parameter into the HTML response without proper sanitization or output encoding. An attacker can craft a malicious URL containing JavaScript code. When a victim visits the crafted URL, the injected script executes in the victim's browser within the context of the vulnerable application. This could allow attackers to execute arbitrary JavaScript, potentially leading to session hijacking, phishing attacks, or manipulation of page content. Version 2.2.5 fixes the issue.
Published: 2026-06-02
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NamelessMC version 2.2.4 fails to encode user‑supplied input in the id parameter of the /index.php?route=/queries/user/ endpoint. The value is reflected back into the HTML response without sanitization, allowing an attacker to inject malicious JavaScript. When a victim visits a crafted URL, the script executes in the victim’s browser, giving the attacker the ability to hijack sessions, execute phishing attacks, or modify page content. The attack is a classic XSS vector that compromises the confidentiality and integrity of user sessions and the visual integrity of the site.

Affected Systems

The vulnerable software is NamelessMC, a web platform for Minecraft servers. Only version 2.2.4 is impacted; the issue was resolved in 2.2.5. No other versions were listed as affected.

Risk and Exploitability

With a CVSS score of 4.3, the vulnerability is categorized as moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no public exploits have been identified. The attack vector is remote and straightforward: an attacker simply needs to craft a URL containing malicious JavaScript and convince a user to visit it. No authentication or local access is required, making this a widely exploitable threat if the vulnerability remains unpatched.

Generated by OpenCVE AI on June 2, 2026 at 16:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the NamelessMC installation to version 2.2.5 or later, which includes the fix for the XSS flaw.
  • If an upgrade cannot be performed immediately, install a web application firewall or similar filtering solution configured to block known XSS payload patterns on the /index.php?route=/queries/user/ endpoint.
  • Ensure that all user-supplied input is properly encoded or sanitized on all future application pages to prevent similar XSS vulnerabilities from reappearing.

Generated by OpenCVE AI on June 2, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Namelessmc
Namelessmc nameless
Vendors & Products Namelessmc
Namelessmc nameless

Tue, 02 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description NamelessMC is website software for Minecraft servers. A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in version 2.2.4 in the id parameter of the endpoint `/index.php?route=/queries/user/`. The application reflects user-supplied input from the id parameter into the HTML response without proper sanitization or output encoding. An attacker can craft a malicious URL containing JavaScript code. When a victim visits the crafted URL, the injected script executes in the victim's browser within the context of the vulnerable application. This could allow attackers to execute arbitrary JavaScript, potentially leading to session hijacking, phishing attacks, or manipulation of page content. Version 2.2.5 fixes the issue.
Title NamelessMC has Reflected Cross-Site Scripting (XSS) in id parameter of /index.php?route=/queries/user/
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Namelessmc Nameless
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T14:12:48.164Z

Reserved: 2026-03-11T14:47:05.686Z

Link: CVE-2026-32250

cve-icon Vulnrichment

Updated: 2026-06-02T14:12:17.073Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T14:16:50.467

Modified: 2026-06-02T16:16:35.830

Link: CVE-2026-32250

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T16:15:12Z

Weaknesses