CVE-2026-53674
Received Received - Intake
Regular Expression Injection in BuddyPress Activity Mention Resolver

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VulnCheck

Description
BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit @mentions whose metacharacters pass through esc_sql unescaped and are inserted into an unprepared REGEXP query against the users table, enabling boolean-based inference of usernames and denial of service through catastrophic backtracking.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-53674
EUVD
EUVD-2026-35878
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
buddy_press buddy_press 14.4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver. When username compatibility mode is enabled, attackers can craft mention names containing regex metacharacters that manipulate a REGEXP database clause.

These crafted @mentions pass through esc_sql unescaped and are inserted into an unprepared REGEXP query against the users table. This allows attackers to perform boolean-based inference of usernames and cause denial of service through catastrophic backtracking.

Impact Analysis

This vulnerability can impact you by allowing attackers to infer usernames through boolean-based attacks, potentially exposing user information.

Additionally, attackers can cause denial of service (DoS) by exploiting catastrophic backtracking in the regular expression, which can degrade or disrupt the availability of the affected BuddyPress service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53674. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart