MEDIUM 4.3

CVE-2026-32250: Reflected XSS in NamelessMC 2.2.4 User Queries Endpoint

NamelessMC, a website platform used for Minecraft server management, contains a reflected cross-site scripting (XSS) vulnerability in version 2.2.4. The flaw exists in how the application handles the `id` parameter on the user queries endpoint. An attacker can embed malicious JavaScript in a specially crafted URL; when a user clicks that link, the script runs in their browser with access to the site's session and data. This could enable attackers to steal session cookies, redirect users to phishing pages, or modify page content to deceive users.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

NamelessMC is website software for Minecraft servers. A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in version 2.2.4 in the id parameter of the endpoint `/index.php?route=/queries/user/`. The application reflects user-supplied input from the id parameter into the HTML response without proper sanitization or output encoding. An attacker can craft a malicious URL containing JavaScript code. When a victim visits the crafted URL, the injected script executes in the victim's browser within the context of the vulnerable application. This could allow attackers to execute arbitrary JavaScript, potentially leading to session hijacking, phishing attacks, or manipulation of page content. Version 2.2.5 fixes the issue.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-32250 is a reflected XSS vulnerability (CWE-79) in NamelessMC 2.2.4 affecting the endpoint `/index.php?route=/queries/user/`. The application fails to sanitize or encode user input from the `id` parameter before reflecting it into the HTML response. Because no server-side validation or output encoding is applied, untrusted input is passed directly to the browser. An attacker exploiting this can execute arbitrary JavaScript in the victim's security context. The vulnerability requires user interaction (a victim must visit the malicious URL), limiting its autonomous impact but not its likelihood—social engineering or embedded links in forums and Discord servers are common delivery vectors for Minecraft communities. Version 2.2.5 addresses this issue.

Business impact

For Minecraft server communities relying on NamelessMC, this vulnerability poses a significant trust and operational risk. Attackers could hijack administrator or moderator sessions to grant themselves elevated privileges, modify server settings, or access sensitive player data stored in the platform. Session theft could allow unauthorized access to player accounts and server management panels. A widespread phishing campaign targeting server administrators could compromise entire server infrastructures. Reputation damage is also a concern if players discover their data or communications were accessed via this vulnerability. The medium CVSS score reflects the requirement for user interaction but should not diminish prioritization in community-focused deployments where social engineering is highly effective.

Affected systems

NamelessMC version 2.2.4 and potentially earlier versions are vulnerable. The vulnerability is specific to the user queries endpoint and its handling of the `id` parameter. Any installation running an unpatched version 2.2.4 is at risk. Website administrators and their users (particularly those with administrative roles) are the primary targets, as attackers gain the most value from compromising high-privilege accounts.

Exploitability

This is a reflected XSS vulnerability with relatively low technical barriers to exploitation. An attacker needs only to craft a URL with JavaScript payload in the `id` parameter and trick a user into clicking it—no authentication is required. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) confirms network accessibility, low attack complexity, and no privileges needed, offset only by the requirement for user interaction. The vulnerability does not support stored/persistent XSS, which limits its scope; however, reflected XSS remains highly exploitable in social engineering scenarios, especially within gaming communities where users routinely share links in Discord, forums, and in-game chat.

Remediation

Update NamelessMC to version 2.2.5 or later, which implements proper input sanitization and output encoding on the affected endpoint. Administrators should prioritize this patch immediately, particularly if their community has administrative users who access the platform via untrusted networks. Before patching, consider implementing a Web Application Firewall (WAF) rule to block or sanitize payloads in the `id` parameter as a temporary mitigation, though this should not replace the vendor patch.

Patch guidance

Upgrade to NamelessMC version 2.2.5 or later. Verify the patch version in your admin panel or check the GitHub releases page for NamelessMC to confirm you are running a patched build. Test the patch in a staging environment first, especially if your installation includes custom plugins or modifications, to ensure compatibility. No data migration or complex configuration changes are expected with this security update. After patching, clear user session tokens to force re-authentication and invalidate any potentially compromised sessions.

Detection guidance

Monitor web server access logs for suspicious patterns in the `/index.php?route=/queries/user/` endpoint, particularly requests with URL-encoded JavaScript payloads in the `id` parameter (look for characters like `<`, `>`, `script`, `onerror`, `onclick`, etc., even if encoded). Inspect browser console logs on user machines for unexpected script execution errors. Consider implementing Content Security Policy (CSP) headers to restrict inline script execution, which would mitigate the impact of reflected XSS even before patching. Review user session logs for simultaneous logins from unusual geographic locations or IP addresses, which may indicate session hijacking.

Why prioritize this

Although rated MEDIUM severity (CVSS 4.3), this vulnerability merits prompt attention for Minecraft server communities because (1) it requires no authentication to exploit, (2) social engineering is highly effective in gaming communities, (3) compromised administrator accounts can lead to widespread damage including unauthorized access to player data and server infrastructure, and (4) a patch is readily available. Organizations managing NamelessMC installations should treat this as a priority fix within their standard patch cycle, particularly if they host sensitive player data or monetized services.

Risk score, explained

The CVSS 3.1 score of 4.3 (MEDIUM) reflects that the vulnerability is network-accessible with low attack complexity and no privileges required, but mitigated by the necessity for user interaction and limited confidentiality impact (CWE-79 reflected XSS typically cannot exfiltrate data directly without additional payload complexity). The score does not fully capture the operational risk in community contexts where social engineering is effective and administrator compromise can cascade into broader breaches. Organizations should augment the base CVSS score with context-specific risk assessment, particularly around the criticality of their NamelessMC installation and the sensitivity of player data stored.

Frequently asked questions

What versions of NamelessMC are affected?

Version 2.2.4 is confirmed vulnerable. Earlier versions may also be affected; vendors typically recommend upgrading to 2.2.5 or later as a precaution. Check the NamelessMC GitHub repository or official advisory for a definitive version timeline.

Do I need to reset all user passwords after patching?

Password reset is not strictly required by the patch itself, but it is a recommended security practice after any XSS vulnerability in an authentication context. At minimum, force re-authentication for all administrative users and any accounts that accessed the platform during the vulnerability window.

Can this vulnerability steal my password or bypass login?

This reflected XSS cannot directly steal passwords because it executes in the victim's browser after they are already logged in. However, it can steal session cookies or tokens, which allow an attacker to impersonate the victim without knowing their password. It cannot bypass login, but it can circumvent it by hijacking an active session.

Is this vulnerability being actively exploited?

CVE-2026-32250 is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no widespread or confirmed active exploitation campaigns as of the publication date. However, the low technical barrier to exploitation means it could be weaponized opportunistically. Apply the patch proactively rather than waiting for evidence of active attacks.

This analysis is provided for informational purposes to assist security professionals in risk assessment and remediation planning. The details are derived from the published CVE description and CVSS metrics and should be verified against the official NamelessMC security advisory and vendor guidance. Organizations should conduct their own testing in non-production environments before applying patches. SEC.co does not provide warranty or guarantee regarding the completeness or accuracy of this analysis, nor does it constitute legal or professional security advice. Always refer to vendor-supplied patch notes and release documentation for definitive technical guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).