Auth bypass in Namelessmc Nameless

CVE-2026-40314

NamelessMC is website software for Minecraft servers. In version 2.2.4,`core/classes/Misc/ProfilePostReactionContext.php` only verifies that the wall post exists and does not enforce blocked/private-profile visibility. `modules/Core/querie…

Vulnerability class: Broken Access Control

EPSS: 0.000 (12.7th percentile) — read the EPSS interpretation.

Affected products

Namelessmc Nameless — versions = 2.2.4

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

security-advisories@github.com (x_refsource_CONFIRM)