Ctrl + K
/ news / CVE
CVEPublished 2026-06-02Modified 2026-06-020 articles on news5 live referencesNVD data

CVE-2026-33398

Vulnerability data via NVD (ingested)

CVSS v3.1
EPSS percentile
Weaknesses (CWE)
CWE-285Improper Authorization
Description

NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/pages/forum/get_quotes.php` only checks whether the caller is logged in, then reads a post by attacker-controlled `post` ID and returns its content. The backend helper in `modules/Forum/classes/Forum.php` does not enforce forum or topic ACLs. In contrast, the normal topic page in `modules/Forum/pages/forum/view_topic.php` enforces forum visibility and `view_other_topics`. Any low-privileged authenticated user can enumerate post IDs and read content from hidden, private, or staff-only forums. Version 2.2.5 fixes the issue.

Timeline
Published 2026-06-02
Modified 2026-06-02

External references

NVDMITREExploit-DBSploitusVulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common). Live host counts are a Premium feature.

Shodan · vuln tag
vuln:CVE-2026-33398
Hosts Shodan has explicitly fingerprinted as vulnerable.
More intel sources (5)
Shodan report
vuln:CVE-2026-33398
Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2026-33398
Censys host search filtered to this CVE id.
grep.app
CVE-2026-33398
Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2026-33398
GitHub code search for direct mentions.
Google dork
"CVE-2026-33398" exploit -site:nvd.nist.gov
Write-ups and news, NVD excluded.

Known PoCs on GitHub

No public proof-of-concept repositories found for CVE-2026-33398 on GitHub.
We haven't classified any articles referencing CVE-2026-33398 yet. The external references above still apply.