216.73.217.50

CVE-2026-34460

· Published 02/06/2026 16:16 · Modified 02/06/2026 20:16

Labels: CVE-2026-34460 2026-06-02CVE-2026-34460CWE-302[email protected]

Essential information

Published
02/06/2026 16:16
Modified
02/06/2026 20:16
Author
Creator
CVSS
5.4 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS metrics

Description

NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause a victim's browser to navigate to it, resulting in the victim's session being authenticated as the attacker-linked account (OAuth login CSRF / session swapping). This is patched in version 2.2.5.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
namelessmc / namelessmc cpe:2.3:a:namelessmc:namelessmc:2.2.4:*:*:*:*:*:*:*

References