CVE-2025-32389: NamelessMC Vulnerable to SQL Injections in /user/messaging and /panel/users/reports Pages

8.6 CVSS

Description

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Prior to version 2.1.4, NamelessMC is vulnerable to SQL injection by providing an unexpected square bracket GET parameter syntax. Square bracket GET parameter syntax refers to the structure `?param[0]=a¶m[1]=b¶m[2]=c` utilized by PHP, which is parsed by PHP as `$_GET['param']` being of type array. This issue has been patched in version 2.1.4.

Classification

CVE ID: CVE-2025-32389

CVSS Base Severity: HIGH

CVSS Base Score: 8.6

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N

Problem Types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Affected Products

Vendor: NamelessMC

Product: Nameless

References

https://nvd.nist.gov/vuln/detail/CVE-2025-32389
https://github.com/NamelessMC/Nameless/security/advisories/GHSA-5984-mhcp-cq2x
https://github.com/NamelessMC/Nameless/commit/02c81c7c45b98fad1ebe3bc085efae18aec4566f
https://github.com/NamelessMC/Nameless/releases/tag/v2.1.4

Timeline

2025-04-18 16:40:19 UTC
CVE

NamelessMC Vulnerable to SQL Injections in /user/messaging and /panel/users/reports Pages