CVE-2026-53674
7.1 HIGHBuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibilit...
Published: 2026-06-10 · Last updated: 2026-06-10
Severity and scoring
- CVSS
- 7.1 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
- CWE
- CWE-943
Description
BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit @mentions whose metacharacters pass through esc_sql unescaped and are inserted into an unprepared REGEXP query against the users table, enabling boolean-based inference of usernames and denial of service through catastrophic backtracking.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-41697 — Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING,... (4.8 MEDIUM)
- CVE-2026-41696 — Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of th... (5.9 MEDIUM)
- CVE-2026-40102 — Plane is an open-source project management tool (6.5 MEDIUM)
- CVE-2026-44425 — ShellHub is a centralized SSH gateway (5.4 MEDIUM)