CVE-2026-32250
Description
NamelessMC 2.2.4 has a Reflected XSS vulnerability in the user queries endpoint, allowing script execution via crafted URLs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NamelessMC 2.2.4 has a Reflected XSS vulnerability in the user queries endpoint, allowing script execution via crafted URLs.
Vulnerability
A Reflected Cross-Site Scripting (XSS) vulnerability exists in NamelessMC version 2.2.4 within the id parameter of the /index.php?route=/queries/user/ endpoint. The application reflects user-supplied input from the id parameter directly into the HTML response without adequate sanitization or output encoding, making it vulnerable to injection attacks.
Exploitation
An attacker can craft a malicious URL containing JavaScript code and trick a victim into visiting it. When the victim accesses the crafted URL, the injected script will execute within the victim's browser in the context of the NamelessMC application. The vulnerability is triggered by sending a GET request with a specially crafted id parameter, such as /index.php?route=/queries/user/&id=em8jh%20onerror%3dalert("XSS")%20cflyw [1].
Impact
Successful exploitation of this Reflected XSS vulnerability allows attackers to execute arbitrary JavaScript code in the victim's browser. This can lead to severe consequences such as session hijacking through stolen cookies, phishing attacks, or manipulation of the application's Document Object Model (DOM) to deceive users [1].
Mitigation
NamelessMC version 2.2.5 addresses this vulnerability. Users are advised to upgrade to version 2.2.5 or later as soon as possible. No workarounds are specified in the available references [1].
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.2.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application reflects user-supplied input from the id parameter into the HTML response without proper sanitization or output encoding."
Attack vector
An attacker can craft a malicious URL containing JavaScript code targeting the `/index.php?route=/queries/user/` endpoint. The `id` parameter is reflected directly into the HTML response without proper encoding. When a victim visits this crafted URL, the injected script executes within the victim's browser in the context of the vulnerable application, potentially leading to session hijacking or other malicious actions [ref_id=1].
Affected code
The vulnerability exists in the `id` parameter of the endpoint `/index.php?route=/queries/user/`. The application directly reflects the value of the `id` parameter into the HTML response without performing adequate sanitization or output encoding [ref_id=1].
What the fix does
The advisory indicates that version 2.2.5 fixes the issue by properly sanitizing and encoding the user-supplied input from the `id` parameter before reflecting it into the HTML response. This prevents injected JavaScript from executing in the victim's browser [ref_id=1].
Preconditions
- inputThe attacker must craft a URL with a malicious payload in the `id` parameter.
- networkThe victim must visit the crafted URL.
Reproduction
Step 1: Send the following request: GET /index.php?route=/queries/user/&id=em8jh%20onerror%3dalert("XSS")%20cflyw HTTP/1.1 Host: 172.16.3.130 Step 2: Open the response in a browser. Step 3: The injected JavaScript executes: alert("XSS") [ref_id=1].
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.