7.2
CVE-2026-39971
- EPSS 0.26%
- Veröffentlicht 14.04.2026 23:35:49
- Zuletzt bearbeitet 23.04.2026 13:59:19
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Serendipity: Host Header Injection leads to SMTP header injection via unvalidated HTTP_HOST
Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMTP header without validation, and the existing sanitization function serendipity_isResponseClean() is not called on HTTP_HOST before embedding it. An attacker who can control the Host header during an email-triggering action such as comment notifications or subscription emails can inject arbitrary SMTP headers into outgoing emails. This enables identity spoofing, reply hijacking via manipulated Message-ID threading, and email reputation abuse through the attacker's domain being embedded in legitimate mail headers. This issue has been fixed in version 2.6.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
S9y ≫ Serendipity Version < 2.6.0
S9y ≫ Serendipity Version2.6.0 Updatebeta1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.26% | 0.166 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.2 | 3.9 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
|
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
https://github.com/s9y/Serendipity/releases/tag/2.6.0
https://github.com/s9y/Serendipity/security/advisories/GHSA-458g-q4fh-mj6r