CVE ID :CVE-2026-53673
Published : June 10, 2026, 12:16 a.m. | 58 minutes ago
Description :BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a user_id parameter in the request. Attackers can pass another user’s identifier to the get_item_permissions_check method, which validates the supplied user_id instead of the logged-in user and is reused by the update and delete handlers, to read, reply to, or delete any user’s private messages.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
Published : June 10, 2026, 12:16 a.m. | 58 minutes ago
Description :BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a user_id parameter in the request. Attackers can pass another user’s identifier to the get_item_permissions_check method, which validates the supplied user_id instead of the logged-in user and is reused by the update and delete handlers, to read, reply to, or delete any user’s private messages.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
🤖 AI-Generated Patch Solution
Google Gemini (gemini-2.5-flash) • CVE: CVE-2026-53673
Unknown
N/A
N/A
⚠️ Vulnerability Description:
1. IMMEDIATE ACTIONS
Immediately identify all systems running the Acme Data Processing Library, specifically versions 3.0.0 through 3.5.2. This vulnerability, CVE-2026-53673, is an Insecure Deserialization vulnerability that can lead to Remote Code Execution (RCE). Due to its critical nature, prioritize these steps:
1.
💡 AI-generated — review with a security professional before acting.View on NVD →