By weakness (CWE)
CWE-943: related vulnerabilities
CVEs classified under CWE-943. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
3 published vulnerabilities
- CVE-2026-53674HIGH 7.1
BuddyPress 14.4.0 has a flaw in how it processes @mention names when a specific username compatibility feature is enabled. Attackers can craft malicious mention text containing special regex characters that slip past the software's input sanitization, allowing them to probe the database for usernames or crash the system through resource exhaustion. The vulnerability requires an attacker to be logged in but poses meaningful risk to information disclosure and availability.
- CVE-2026-41696MEDIUM 5.9
Spring Data MongoDB, a widely-used persistence framework for MongoDB, contains a query injection vulnerability affecting multiple versions. When developers use the @Query annotation with regex parameter binding, the framework fails to properly validate user-supplied input. This allows an attacker to craft a malicious string that escapes the intended regex boundaries and inject arbitrary queries. The vulnerability does not currently appear on the CISA KEV catalog, but the broad version range affected and the sensitive nature of database queries make it a meaningful risk for organizations relying on Spring Data MongoDB.
- CVE-2026-41697MEDIUM 4.8
Spring Data Relational, a widely-used Java framework for database access, contains a vulnerability in its Query By Example (QBE) feature. When developers use string matching options like STARTING, ENDING, or CONTAINING, the framework fails to properly escape wildcard characters from user-supplied input. An attacker can exploit this by injecting wildcard characters to perform boolean-based blind SQL inference attacks—essentially asking yes-or-no questions about the underlying database without directly viewing the data. The vulnerability affects multiple versions across 2.4, 3.0, 3.1, 3.2, 3.3, 3.4, 3.5, and 4.0 release lines.