CVE-2025-22144CRITICAL 9.8EPSS p49.4%

CVE-2025-22144CVE-2025-22144

Description

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. A user with admincp.core.emails or admincp.users.edit permissions can validate users and an attacker can reset their password. When the account is successfully approved by email the reset code is NULL, but when the account is manually validated by a user with admincp.core.emails or admincp.users.edit permissions then the reset_code will no longer be NULL but empty. An attacker can request http://localhost/nameless/index.php?route=/forgot_password/&c= and reset the password. As a result an attacker may compromise another users password and take over their account. This issue has been addressed in release version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.73% probability of exploitation · percentile 49.4% · 2026-06-18T12:00:27Z
Published2025-01-13
Last modified2025-05-13

Underlying weaknesses· 2

CWE-610CWE-640

References

  1. https://github.com/NamelessMC/Nameless/releases/tag/v2.1.3
  2. https://github.com/NamelessMC/Nameless/security/advisories/GHSA-p883-7496-x35p
  3. https://github.com/NamelessMC/Nameless/security/advisories/GHSA-p883-7496-x35p

2

TypeTargetConfidenceTier
WeaknessExternally Controlled Reference to a Resource in Another Spherecwe-6100%live
WeaknessWeak Password Recovery Mechanism for Forgotten Passwordcwe-6400%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34460
CVE
CVE-2026-32250
CVE
CVE-2026-35447
CVE
CVE-2026-40314
CVE
CVE-2026-33398
CVE
CVE-2026-35443
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.