Description
Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMTP header without validation, and the existing sanitization function serendipity_isResponseClean() is not called on HTTP_HOST before embedding it. An attacker who can control the Host header during an email-triggering action such as comment notifications or subscription emails can inject arbitrary SMTP headers into outgoing emails. This enables identity spoofing, reply hijacking via manipulated Message-ID threading, and email reputation abuse through the attacker's domain being embedded in legitimate mail headers. This issue has been fixed in version 2.6.0.
Published: 2026-04-14
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: SMTP Header Injection
Action: Patch
AI Analysis

Impact

The CVE reveals that Serendipity versions 2.6-beta2 and earlier allow a host header injection attack that can be leveraged to inject arbitrary SMTP headers. The vulnerability arises from inserting the raw HTTP_HOST value into the Message-ID header without validation, which can be abused to spoof sender identity, hijack email replies, or degrade sender reputation by embedding a malicious domain. This injection flaw maps to CWE-113 and can result in significant confidentiality and integrity impacts on email communication.

Affected Systems

Affected systems are installations of the s9y:Serendipity PHP weblog engine, specifically versions 2.6-beta2 and any earlier build prior to the release of 2.6.0. The vulnerability is present in the include/functions.inc.php component that handles email notification for comments and subscriptions. Users running unpatched versions of Serendipity that expose an email‑triggering feature should verify their software version against the fix.

Risk and Exploitability

Based on the description, it is inferred that an attacker can craft a request to the site’s comment notification endpoint with a malformed Host header to inject SMTP headers. The CVSS score of 7.2 reflects a high severity, and the lack of an EPSS score means exploitation probability is unknown. The vulnerability is not listed in the KEV catalog, but the potential for email spoofing warrants immediate attention.

Generated by OpenCVE AI on April 15, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch to Serendipity 2.6.0 or later to resolve the host header sanitization issue.
  • If an upgrade is not immediately possible, disable comment notifications or implement a filter that sanitizes or blocks non‑standard values in the HTTP_HOST before they are used in email headers.
  • After remedial action, audit outbound email headers to confirm that no injected SMTP headers are present and that legitimate Message-ID headers are correctly formatted.

Generated by OpenCVE AI on April 15, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-458g-q4fh-mj6r Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header
History

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared S9y
S9y serendipity
Vendors & Products S9y
S9y serendipity

Wed, 15 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMTP header without validation, and the existing sanitization function serendipity_isResponseClean() is not called on HTTP_HOST before embedding it. An attacker who can control the Host header during an email-triggering action such as comment notifications or subscription emails can inject arbitrary SMTP headers into outgoing emails. This enables identity spoofing, reply hijacking via manipulated Message-ID threading, and email reputation abuse through the attacker's domain being embedded in legitimate mail headers. This issue has been fixed in version 2.6.0.
Title Serendipity: Host Header Injection leads to SMTP header injection via unvalidated HTTP_HOST
Weaknesses CWE-113
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

S9y Serendipity
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T16:22:04.004Z

Reserved: 2026-04-08T00:01:47.627Z

Link: CVE-2026-39971

cve-icon Vulnrichment

Updated: 2026-04-15T16:20:59.391Z

cve-icon NVD

Status : Received

Published: 2026-04-15T04:17:39.763

Modified: 2026-04-15T04:17:39.763

Link: CVE-2026-39971

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:28:41Z

Weaknesses