CVE-2026-39963 (GCVE-0-2026-39963)

Vulnerability from cvelistv5 – Published: 2026-04-14 23:31 – Updated: 2026-04-15 13:23
VLAI?
Title
Serendipity: Host Header Injection enables authentication cookie scoping to an attacker-controlled domain
Summary
Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipity_setCookie() function in include/functions_config.inc.php uses $_SERVER['HTTP_HOST'] without validation as the domain parameter of setcookie(). An attacker who can influence the Host header at login time, such as via MITM, reverse proxy misconfiguration, or load balancer manipulation, can force authentication cookies including session tokens and auto-login tokens to be scoped to an attacker-controlled domain. This enables session fixation, token leakage to attacker-controlled infrastructure, and privilege escalation if an admin logs in under a poisoned Host header. This issue has been fixed in version 2.6.0.
Severity ?
6.9 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
CWE
  • CWE-565 - Reliance on Cookies without Validation and Integrity Checking
Assigner
References
Impacted products
Vendor Product Version
s9y Serendipity Affected: < 2.6.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-39963",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-15T13:23:44.552367Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-15T13:23:48.591Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/s9y/Serendipity/security/advisories/GHSA-4m6c-649p-f6gf"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Serendipity",
          "vendor": "s9y",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2  and below, the serendipity_setCookie() function in include/functions_config.inc.php uses $_SERVER[\u0027HTTP_HOST\u0027] without validation as the domain parameter of setcookie(). An attacker who can influence the Host header at login time, such as via MITM, reverse proxy misconfiguration, or load balancer manipulation, can force authentication cookies including session tokens and auto-login tokens to be scoped to an attacker-controlled domain. This enables session fixation, token leakage to attacker-controlled infrastructure, and privilege escalation if an admin logs in under a poisoned Host header. This issue has been fixed in version 2.6.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-565",
              "description": "CWE-565: Reliance on Cookies without Validation and Integrity Checking",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-14T23:31:13.843Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/s9y/Serendipity/security/advisories/GHSA-4m6c-649p-f6gf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/s9y/Serendipity/security/advisories/GHSA-4m6c-649p-f6gf"
        },
        {
          "name": "https://github.com/s9y/Serendipity/releases/tag/2.6.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/s9y/Serendipity/releases/tag/2.6.0"
        }
      ],
      "source": {
        "advisory": "GHSA-4m6c-649p-f6gf",
        "discovery": "UNKNOWN"
      },
      "title": "Serendipity: Host Header Injection enables authentication cookie scoping to an attacker-controlled domain"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-39963",
    "datePublished": "2026-04-14T23:31:13.843Z",
    "dateReserved": "2026-04-08T00:01:47.626Z",
    "dateUpdated": "2026-04-15T13:23:48.591Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-39963",
      "date": "2026-04-15",
      "epss": "0.00043",
      "percentile": "0.12954"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-39963\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-15T04:17:39.580\",\"lastModified\":\"2026-04-15T14:16:17.543\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2  and below, the serendipity_setCookie() function in include/functions_config.inc.php uses $_SERVER[\u0027HTTP_HOST\u0027] without validation as the domain parameter of setcookie(). An attacker who can influence the Host header at login time, such as via MITM, reverse proxy misconfiguration, or load balancer manipulation, can force authentication cookies including session tokens and auto-login tokens to be scoped to an attacker-controlled domain. This enables session fixation, token leakage to attacker-controlled infrastructure, and privilege escalation if an admin logs in under a poisoned Host header. This issue has been fixed in version 2.6.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-565\"}]}],\"references\":[{\"url\":\"https://github.com/s9y/Serendipity/releases/tag/2.6.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/s9y/Serendipity/security/advisories/GHSA-4m6c-649p-f6gf\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/s9y/Serendipity/security/advisories/GHSA-4m6c-649p-f6gf\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-39963\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-15T13:23:44.552367Z\"}}}], \"references\": [{\"url\": \"https://github.com/s9y/Serendipity/security/advisories/GHSA-4m6c-649p-f6gf\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-15T13:23:40.363Z\"}}], \"cna\": {\"title\": \"Serendipity: Host Header Injection enables authentication cookie scoping to an attacker-controlled domain\", \"source\": {\"advisory\": \"GHSA-4m6c-649p-f6gf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"s9y\", \"product\": \"Serendipity\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.6.0\"}]}], \"references\": [{\"url\": \"https://github.com/s9y/Serendipity/security/advisories/GHSA-4m6c-649p-f6gf\", \"name\": \"https://github.com/s9y/Serendipity/security/advisories/GHSA-4m6c-649p-f6gf\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/s9y/Serendipity/releases/tag/2.6.0\", \"name\": \"https://github.com/s9y/Serendipity/releases/tag/2.6.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2  and below, the serendipity_setCookie() function in include/functions_config.inc.php uses $_SERVER[\u0027HTTP_HOST\u0027] without validation as the domain parameter of setcookie(). An attacker who can influence the Host header at login time, such as via MITM, reverse proxy misconfiguration, or load balancer manipulation, can force authentication cookies including session tokens and auto-login tokens to be scoped to an attacker-controlled domain. This enables session fixation, token leakage to attacker-controlled infrastructure, and privilege escalation if an admin logs in under a poisoned Host header. This issue has been fixed in version 2.6.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-565\", \"description\": \"CWE-565: Reliance on Cookies without Validation and Integrity Checking\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-14T23:31:13.843Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-39963\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-15T13:23:48.591Z\", \"dateReserved\": \"2026-04-08T00:01:47.626Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-14T23:31:13.843Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.