PatchSiren cyber security CVE debrief
CVE-2026-53674 BuddyPress CVE debrief
CVE-2026-53674 is a HIGH severity vulnerability in BuddyPress 14.4.0. The vulnerability exists in the activity mention resolver when username compatibility mode is enabled. Attackers can craft @mentions containing regex metacharacters, which pass through esc_sql unescaped and are inserted into an unprepared REGEXP query against the users table. This allows for boolean-based inference of usernames and denial of service through catastrophic backtracking. The CVSS score for this vulnerability is 7.1.
- Vendor
- BuddyPress
- Product
- BuddyPress 14.4.0
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of BuddyPress 14.4.0, particularly those with username compatibility mode enabled, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by the activity mention resolver's failure to properly sanitize @mentions containing regex metacharacters. When username compatibility mode is enabled, these metacharacters are not escaped and are inserted into a REGEXP query against the users table. This allows attackers to manipulate the REGEXP database clause and potentially extract sensitive information or cause denial of service.
Defensive priority
HIGH
Recommended defensive actions
- Update to a patched version of BuddyPress as soon as possible.
- Disable username compatibility mode if not required.
- Implement additional security measures to monitor and restrict activity mentions.
Evidence notes
The CVE record [cve-org] and NVD detail [nvd] provide official information about the vulnerability. Additional information can be found in the source references [ref-4], [ref-5], and [ref-6].
Official resources
CVE-2026-53674 was published on 2026-06-10T00:16:55.190Z and modified on 2026-06-10T19:41:25.327Z.