CVE-2026-32250
Reflected XSS in NamelessMC
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| namelessmc | namelessmc | to 2.2.5 (exc) |
| namelessmc | namelessmc | 2.2.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32250 is a Reflected Cross-Site Scripting (XSS) vulnerability in NamelessMC website software for Minecraft servers, specifically in version 2.2.4 and earlier. The vulnerability exists in the id parameter of the /index.php?route=/queries/user/ endpoint, where user-supplied input is reflected into the HTML response without proper sanitization or output encoding.
An attacker can craft a malicious URL containing JavaScript code. When a victim visits this URL, the injected script executes in their browser within the context of the vulnerable application.
This flaw allows attackers to execute arbitrary JavaScript, which can lead to session hijacking, phishing attacks, or manipulation of page content.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this Reflected Cross-Site Scripting (XSS) vulnerability in NamelessMC affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript in the context of your browser session with the vulnerable NamelessMC application.
- Session hijacking: Attackers can steal session cookies to impersonate users.
- Phishing attacks: Malicious scripts can redirect users to fraudulent sites or display fake login forms.
- Manipulation of page content: Attackers can alter the displayed content to mislead or confuse users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the vulnerable endpoint `/index.php?route=/queries/user/` with the `id` parameter to see if it reflects unsanitized input in the HTML response.
One way to detect it is by crafting a URL with a simple JavaScript payload in the `id` parameter and observing if the script executes or appears in the response.
- Use curl or wget to send a request with a test payload, for example: curl -i "http://yourserver/index.php?route=/queries/user/&id=<script>alert('XSS')</script>"
- Check the HTTP response for the presence of the injected script tag without proper encoding.
- Alternatively, use a web vulnerability scanner that supports reflected XSS detection against the affected endpoint.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade NamelessMC to version 2.2.5 or later, where the issue is fixed.
Until the upgrade can be applied, consider implementing web application firewall (WAF) rules to block requests containing suspicious script tags in the `id` parameter.
Additionally, educate users to avoid clicking on suspicious or untrusted URLs that may exploit this vulnerability.