CVE-2026-35443

Source
https://cve.org/CVERecord?id=CVE-2026-35443
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35443.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-35443
Aliases
  • GHSA-wcrf-5gcp-pf64
Published
2026-06-02T15:50:06.670Z
Modified
2026-07-08T08:09:28.338986199Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
NamelessMC: Forum reactions bypass the "view own topics only" restriction
Details

NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/classes/ForumPostReactionContext.php only verifies that the caller can view the forum, but it does not re-enforce topic-level view_other_topics authorization. As a result, in forums where users may enter the forum but may only view their own topics, reactions can still be read and modified on other users' topics. Version 2.2.5 fixes the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35443.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-862"
    ]
}
References

Affected packages

Git / github.com/namelessmc/nameless

Affected ranges

Type
GIT
Repo
https://github.com/namelessmc/nameless
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "= 2.2.4"
        },
        {
            "last_affected": "= 2.2.4"
        }
    ]
}

Affected versions

= 2.*
= 2.2.4
v2.*
v2.2.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35443.json"