CVE-2026-39963

Name of the Vulnerable Software and Affected Versions Serendipity versions prior to 2.6.0

Description The serendipity setCookie() function in include/functions config.inc.php uses the $ SERVER['HTTP HOST'] variable without validation as the domain parameter of the setcookie() function. An attacker who can influence the Host header during login—through methods such as man-in-the-middle (MITM) attacks, reverse proxy misconfigurations, or load balancer manipulation—can force authentication cookies, including session tokens and auto-login tokens, to be scoped to a domain controlled by the attacker. This can lead to session fixation, token leakage to attacker-controlled infrastructure, and privilege escalation if an administrator logs in while the Host header is poisoned.

Recommendations Update to version 2.6.0. As a temporary workaround, restrict access to the serendipity setCookie() function or ensure the Host header is strictly validated at the server or load balancer level to prevent header manipulation.