{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39971", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-08T00:01:47.627Z", "datePublished": "2026-04-14T23:35:49.305Z", "dateUpdated": "2026-04-15T16:22:04.004Z"}, "containers": {"cna": {"title": "Serendipity: Host Header Injection leads to SMTP header injection via unvalidated HTTP_HOST", "problemTypes": [{"descriptions": [{"cweId": "CWE-113", "lang": "en", "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/s9y/Serendipity/security/advisories/GHSA-458g-q4fh-mj6r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/s9y/Serendipity/security/advisories/GHSA-458g-q4fh-mj6r"}, {"name": "https://github.com/s9y/Serendipity/releases/tag/2.6.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/s9y/Serendipity/releases/tag/2.6.0"}], "affected": [{"vendor": "s9y", "product": "Serendipity", "versions": [{"version": "< 2.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T23:35:49.305Z"}, "descriptions": [{"lang": "en", "value": "Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMTP header without validation, and the existing sanitization function serendipity_isResponseClean() is not called on HTTP_HOST before embedding it. An attacker who can control the Host header during an email-triggering action such as comment notifications or subscription emails can inject arbitrary SMTP headers into outgoing emails. This enables identity spoofing, reply hijacking via manipulated Message-ID threading, and email reputation abuse through the attacker's domain being embedded in legitimate mail headers. This issue has been fixed in version 2.6.0."}], "source": {"advisory": "GHSA-458g-q4fh-mj6r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T16:20:55.327550Z", "id": "CVE-2026-39971", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T16:22:04.004Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39971", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T16:20:55.327550Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T16:20:59.391Z"}}], "cna": {"title": "Serendipity: Host Header Injection leads to SMTP header injection via unvalidated HTTP_HOST", "source": {"advisory": "GHSA-458g-q4fh-mj6r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "s9y", "product": "Serendipity", "versions": [{"status": "affected", "version": "< 2.6.0"}]}], "references": [{"url": "https://github.com/s9y/Serendipity/security/advisories/GHSA-458g-q4fh-mj6r", "name": "https://github.com/s9y/Serendipity/security/advisories/GHSA-458g-q4fh-mj6r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/s9y/Serendipity/releases/tag/2.6.0", "name": "https://github.com/s9y/Serendipity/releases/tag/2.6.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMTP header without validation, and the existing sanitization function serendipity_isResponseClean() is not called on HTTP_HOST before embedding it. An attacker who can control the Host header during an email-triggering action such as comment notifications or subscription emails can inject arbitrary SMTP headers into outgoing emails. This enables identity spoofing, reply hijacking via manipulated Message-ID threading, and email reputation abuse through the attacker's domain being embedded in legitimate mail headers. This issue has been fixed in version 2.6.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-113", "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T23:35:49.305Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39971", "state": "PUBLISHED", "dateUpdated": "2026-04-15T16:22:04.004Z", "dateReserved": "2026-04-08T00:01:47.627Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T23:35:49.305Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:s9y:serendipity:*:*:*:*:*:*:*:*", "matchCriteriaId": "25355E06-ECC8-4A6C-ADB1-1A8ED17E5ABF", "versionEndExcluding": "2.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:s9y:serendipity:2.6.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "D31C5F34-5B83-4955-870B-0D1AC375DA24", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMTP header without validation, and the existing sanitization function serendipity_isResponseClean() is not called on HTTP_HOST before embedding it. An attacker who can control the Host header during an email-triggering action such as comment notifications or subscription emails can inject arbitrary SMTP headers into outgoing emails. This enables identity spoofing, reply hijacking via manipulated Message-ID threading, and email reputation abuse through the attacker's domain being embedded in legitimate mail headers. This issue has been fixed in version 2.6.0."}], "id": "CVE-2026-39971", "lastModified": "2026-04-23T13:59:19.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-15T04:17:39.763", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/s9y/Serendipity/releases/tag/2.6.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/s9y/Serendipity/security/advisories/GHSA-458g-q4fh-mj6r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-113"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Serendipity", "source": "cna", "vendor": "s9y"}, "product": "serendipity", "vendor": "s9y"}], "analysis": {"en": {"generated_at": "2026-04-15T01:21:28.662917+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch to Serendipity 2.6.0 or later to resolve the host header sanitization issue.", "If an upgrade is not immediately possible, disable comment notifications or implement a filter that sanitizes or blocks non\u2011standard values in the HTTP_HOST before they are used in email headers.", "After remedial action, audit outbound email headers to confirm that no injected SMTP headers are present and that legitimate Message-ID headers are correctly formatted."], "summary": {"action": "Patch", "impact": "SMTP Header Injection"}, "threat_synthesis": {"affected_systems": "Affected systems are installations of the s9y:Serendipity PHP weblog engine, specifically versions 2.6-beta2 and any earlier build prior to the release of 2.6.0. The vulnerability is present in the include/functions.inc.php component that handles email notification for comments and subscriptions. Users running unpatched versions of Serendipity that expose an email\u2011triggering feature should verify their software version against the fix.", "description_and_impact": "The CVE reveals that Serendipity versions 2.6-beta2 and earlier allow a host header injection attack that can be leveraged to inject arbitrary SMTP headers. The vulnerability arises from inserting the raw HTTP_HOST value into the Message-ID header without validation, which can be abused to spoof sender identity, hijack email replies, or degrade sender reputation by embedding a malicious domain. This injection flaw maps to CWE-113 and can result in significant confidentiality and integrity impacts on email communication.", "risk_and_exploitability": "Based on the description, it is inferred that an attacker can craft a request to the site\u2019s comment notification endpoint with a malformed Host header to inject SMTP headers. The CVSS score of 7.2 reflects a high severity, and the lack of an EPSS score means exploitation probability is unknown. The vulnerability is not listed in the KEV catalog, but the potential for email spoofing warrants immediate attention."}}}}, "created": "2026-04-15T13:48:23.611148+00:00", "updated": "2026-04-15T14:28:41.082936+00:00", "vendors": ["s9y", "s9y$PRODUCT$serendipity"]}