VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 2, 2026· Updated Jun 2, 2026

CVE-2026-35447

CVE-2026-35447

Description

NamelessMC 2.2.4 allows users to post to private profiles and inject replies into arbitrary wall posts due to insufficient authorization checks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

NamelessMC 2.2.4 allows users to post to private profiles and inject replies into arbitrary wall posts due to insufficient authorization checks.

Vulnerability

NamelessMC version 2.2.4 contains a vulnerability in modules/Core/pages/profile.php where wall post submissions and replies are processed before viewer authorization is checked. This allows any user with the profile.post permission to post to private or blocking profiles. Additionally, the reply functionality does not verify that the target wall post belongs to the currently viewed profile, enabling cross-profile injection [1].

Exploitation

An attacker with a low-privileged user account can exploit this by sending a POST request to a target profile's URI. To bypass privacy settings, the attacker can submit a new wall post directly to a private or blocking profile. For cross-profile reply injection, the attacker can use a restricted profile URL and specify an arbitrary wall post ID that does not belong to the target profile [1].

Impact

Successful exploitation allows attackers to write wall posts to private or blocking profiles, bypassing access restrictions. Furthermore, attackers can inject replies into arbitrary wall posts owned by other users, regardless of profile privacy settings, by exploiting a restricted profile URL [1].

Mitigation

This vulnerability is fixed in NamelessMC version 2.2.5. Users are advised to upgrade to the patched version as soon as possible. No workarounds are specified in the available references [1].

References
  1. Private or blocking profile pages can be bypassed with direct POST requests, and reply handling allows cross-profile writes

AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The profile page processes wall post submissions and replies before verifying user authorization."

Attack vector

An attacker with low privileges can submit wall posts to private or blocking profiles by directly POSTing to the profile page before authorization checks are performed [ref_id=1]. The vulnerability also allows an attacker to inject replies into arbitrary wall posts. This is achieved by using a restricted profile URL and submitting a reply to a wall post ID that does not belong to the target profile [ref_id=1]. The provided Proof of Concept demonstrates posting to a blocked private profile and cross-profile replies via a restricted URL [ref_id=1].

Affected code

The vulnerability exists in `modules/Core/pages/profile.php` which handles wall post submissions and replies. Specifically, the code processes `new_post` and `reply` actions before checking `CAN_VIEW` authorization for the profile [ref_id=1]. The reply functionality fails to verify that the target wall post belongs to the current profile page.

What the fix does

The patch evaluates blocked/private-profile authorization before processing new post or reply actions. It also enforces that the target wall post must belong to the current profile page before inserting a reply. These changes centralize profile write authorization checks into a reusable function, preventing unauthorized content submission to private profiles and cross-profile reply injection [ref_id=1].

Preconditions

  • authAttacker must be a low-privileged user member.
  • authVictim user must have `private_profile=1` or have blocked the attacker.
  • inputAttacker needs a valid wall post ID for cross-profile reply injection.

Reproduction

PoC A: Post directly to a blocked/private profile docker exec -w /data nameless-224-php-1 php dev/scripts/request_runner.php \ --method=POST \ --uri='/profile/victim/' \ --session-id='mprof1' \ --session-json='{"2user":"memberhash1234567890abcdef","2token":"tokmember"}' \ --post-json='{"action":"new_post","post":"Bypass new_post on blocked private profile","token":"tokmember"}'

PoC B: Reply to an unrelated wall post through a blocked victim profile URL docker exec -w /data nameless-224-php-1 php dev/scripts/request_runner.php \ --method=POST \ --uri='/profile/victim/' \ --session-id='mprof3' \ --session-json='{"2user":"memberhash1234567890abcdef","2token":"tokmember"}' \ --post-json='{"action":"reply","post":"11","reply":"Cross-profile reply via blocked victim URL","token":"tokmember"}'

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.