CVE-2026-39963

MEDIUM 6.9

Serendipity: Host Header Injection enables authentication cookie scoping to an attacker-controlled domain

CVSS Score

6.9

EPSS Score

0.0%

EPSS Percentile

13th

Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipity_setCookie() function in include/functions_config.inc.php uses $_SERVER['HTTP_HOST'] without validation as the domain parameter of setcookie(). An attacker who can influence the Host header at login time, such as via MITM, reverse proxy misconfiguration, or load balancer manipulation, can force authentication cookies including session tokens and auto-login tokens to be scoped to an attacker-controlled domain. This enables session fixation, token leakage to attacker-controlled infrastructure, and privilege escalation if an admin logs in under a poisoned Host header. This issue has been fixed in version 2.6.0.

CWE	CWE-565
Vendor	s9y
Product	serendipity
Published	Apr 14, 2026
Last Updated	Apr 15, 2026

Stay Ahead of the Next One

Get instant alerts for s9y serendipity

Be the first to know when new medium vulnerabilities affecting s9y serendipity are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

s9y / Serendipity

< 2.6.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/s9y/Serendipity/security/advisories/GHSA-4m6c-649p-f6gf github.com: https://github.com/s9y/Serendipity/releases/tag/2.6.0