SecuriTricks - CVE-2026-39963

Description

Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipity_setCookie() function in include/functions_config.inc.php uses $_SERVER['HTTP_HOST'] without validation as the domain parameter of setcookie(). An attacker who can influence the Host header at login time, such as via MITM, reverse proxy misconfiguration, or load balancer manipulation, can force authentication cookies including session tokens and auto-login tokens to be scoped to an attacker-controlled domain. This enables session fixation, token leakage to attacker-controlled infrastructure, and privilege escalation if an admin logs in under a poisoned Host header. This issue has been fixed in version 2.6.0.

Product(s) Impacted

Vendor	Product	Versions
Serendipity	Serendipity	<2.6.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-565

Reliance on Cookies without Validation and Integrity Checking

The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	serendipity	serendipity	<2.6.0	/	/	/	/	/	/	/

References

https://github.com/s9y/Serendipity/releases/tag/2.6.0

https://github.com/s9y/Serendipity/security/advisories/GHSA-4m6c-649p-f6gf

CVSS Score

6.9 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: NONE
Scope: CHANGED
Confidentiality Impact: HIGH
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

View Vector String

Timeline

Published: April 15, 2026, 4:17 a.m.
Last Modified: April 15, 2026, 2:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-39963