Description

Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMTP header without validation, and the existing sanitization function serendipity_isResponseClean() is not called on HTTP_HOST before embedding it. An attacker who can control the Host header during an email-triggering action such as comment notifications or subscription emails can inject arbitrary SMTP headers into outgoing emails. This enables identity spoofing, reply hijacking via manipulated Message-ID threading, and email reputation abuse through the attacker's domain being embedded in legitimate mail headers. This issue has been fixed in version 2.6.0.

INFO

Published Date :

2026-04-14T23:35:49.305Z

Last Modified :

2026-04-14T23:35:49.305Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-39971 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39971.

URL Resource
https://github.com/s9y/Serendipity/releases/tag/2.6.0 cve-icon
https://github.com/s9y/Serendipity/security/advisories/GHSA-458g-q4fh-mj6r cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact