CVE-2026-32250
Deferred Deferred - Pending Action
Reflected XSS in NamelessMC

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
NamelessMC is website software for Minecraft servers. A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in version 2.2.4 in the id parameter of the endpoint `/index.php?route=/queries/user/`. The application reflects user-supplied input from the id parameter into the HTML response without proper sanitization or output encoding. An attacker can craft a malicious URL containing JavaScript code. When a victim visits the crafted URL, the injected script executes in the victim's browser within the context of the vulnerable application. This could allow attackers to execute arbitrary JavaScript, potentially leading to session hijacking, phishing attacks, or manipulation of page content. Version 2.2.5 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-32250
EUVD
EUVD-2026-33925
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
namelessmc namelessmc to 2.2.5 (exc)
namelessmc namelessmc 2.2.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how this Reflected Cross-Site Scripting (XSS) vulnerability in NamelessMC affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-32250 is a Reflected Cross-Site Scripting (XSS) vulnerability in NamelessMC website software for Minecraft servers, specifically in version 2.2.4 and earlier. The vulnerability exists in the id parameter of the /index.php?route=/queries/user/ endpoint, where user-supplied input is reflected into the HTML response without proper sanitization or output encoding.

An attacker can craft a malicious URL containing JavaScript code. When a victim visits this URL, the injected script executes in their browser within the context of the vulnerable application.

This flaw allows attackers to execute arbitrary JavaScript, which can lead to session hijacking, phishing attacks, or manipulation of page content.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript in the context of your browser session with the vulnerable NamelessMC application.

  • Session hijacking: Attackers can steal session cookies to impersonate users.
  • Phishing attacks: Malicious scripts can redirect users to fraudulent sites or display fake login forms.
  • Manipulation of page content: Attackers can alter the displayed content to mislead or confuse users.
Detection Guidance

This vulnerability can be detected by testing the vulnerable endpoint `/index.php?route=/queries/user/` with the `id` parameter to see if it reflects unsanitized input in the HTML response.

One way to detect it is by crafting a URL with a simple JavaScript payload in the `id` parameter and observing if the script executes or appears in the response.

  • Use curl or wget to send a request with a test payload, for example: curl -i "http://yourserver/index.php?route=/queries/user/&id=<script>alert('XSS')</script>"
  • Check the HTTP response for the presence of the injected script tag without proper encoding.
  • Alternatively, use a web vulnerability scanner that supports reflected XSS detection against the affected endpoint.
Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade NamelessMC to version 2.2.5 or later, where the issue is fixed.

Until the upgrade can be applied, consider implementing web application firewall (WAF) rules to block requests containing suspicious script tags in the `id` parameter.

Additionally, educate users to avoid clicking on suspicious or untrusted URLs that may exploit this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32250. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart