bbPress 2.5.9 is out, and is a security release for all previous 2.x versions.
bbPress versions 2.5.8 and earlier are susceptible to a form of cross-site-scripting, due to the way users are linked to their profiles when they are mentioned in topics and replies.
Check the 2.5 milestone for a comprehensive changelog of fixes.
Take a moment to update your bbPress installations to 2.5.9. If you’re using WordPress’s built-in updater, it should only take a click or two.
These fixes have also been ported over to 2.6, which we continue to run here at bbPress.org and BuddyPress.org.