CVE-2026-53674

216.73.216.6

· Published 10/06/2026 00:16 · Modified 10/06/2026 19:41

Labels: CVE-2026-53674 2026-06-10 CVE-2026-53674 CWE-943 [email protected]

Essential information

Published: 10/06/2026 00:16
Modified: 10/06/2026 19:41
Author: —
Creator: —
CVSS: 7.1 HIGH (v3) 7.1 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit @mentions whose metacharacters pass through esc_sql unescaped and are inserted into an unprepared REGEXP query against the users table, enabling boolean-based inference of usernames and denial of service through catastrophic backtracking.

NVD status

Status: Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
buddypress / buddypress	`cpe:2.3:a:buddypress:buddypress:14.4.0:::::::*`