EXECUTIVE SUMMARY:
CVE-2026-39971 with a CVSS score of 8.2 is a Host Header Injection vulnerability affecting Serendipity, specifically impacting versions where the HTTP_HOST value is not properly sanitized before being inserted into the Message-ID SMTP header. This vulnerability allows an attacker to inject arbitrary SMTP headers into outgoing emails, enabling spam relay, BCC injection, and email spoofing, by controlling the Host header during an email-triggering action, requiring minimal access to the affected system. An attacker gains the capability to manipulate email headers, leading to identity spoofing, reply hijacking, and email reputation abuse, resulting in significant business impact and consequences if exploited, including compromised email delivery and damaged brand reputation, all without requiring prerequisites or conditions beyond the ability to control the Host header.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-39971 with a CVSS score of 8.2 is a Host Header Injection vulnerability affecting Serendipity, specifically impacting versions where the HTTP_HOST value is not properly sanitized before being inserted into the Message-ID SMTP header. This vulnerability allows an attacker to inject arbitrary SMTP headers into outgoing emails, enabling spam relay, BCC injection, and email spoofing, by controlling the Host header during an email-triggering action, requiring minimal access to the affected system. An attacker gains the capability to manipulate email headers, leading to identity spoofing, reply hijacking, and email reputation abuse, resulting in significant business impact and consequences if exploited, including compromised email delivery and damaged brand reputation, all without requiring prerequisites or conditions beyond the ability to control the Host header.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update Serendipity to version 2.6.0.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-458g-q4fh-mj6r