Primary

Context

NamelessMC Cross-Site Scripting Vulnerability in SEO Component

Vulnerability

Patched

A cross-site scripting (XSS) vulnerability has been identified in NamelessMC versions prior to 2.2.4. This vulnerability allows remote authenticated attackers to inject arbitrary web scripts or HTML. The issue arises in the SEO component, where the default_keywords parameter can be manipulated to execute injected scripts.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, send a POST request to the '/nameless/panel/core/seo/' endpoint. Include the default_keywords parameter with a crafted value that injects a script, such as an alert() call. This request must be sent from an account with permission to access the SEO section.

Remediation

Users can upgrade to NamelessMC version 2.2.4 or later to address this vulnerability.

Added: Aug 18, 2025, 4:17 PM

Updated: Aug 18, 2025, 4:17 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

6.3

remediation

7.7

relevance

0.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

6.3

remediation

7.7

relevance

0.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NamelessMC Cross-Site Scripting Vulnerability in SEO Component

Vulnerability

Impact

Reproduction

Remediation

Affected Products

NamelessMC

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating