CVE-2026-39971

Name of the Vulnerable Software and Affected Versions Serendipity versions prior to 2.6.0

Description The email sending functionality in include/functions.inc.php inserts the $ SERVER['HTTP HOST'] variable directly into the Message-ID SMTP header without validation. The sanitization function serendipity isResponseClean() is not applied to the HTTP HOST variable before it is embedded. An attacker who can control the Host header during email-triggering actions, such as comment notifications or subscription emails, can inject arbitrary SMTP headers into outgoing emails. This allows for identity spoofing, reply hijacking via manipulated Message-ID threading, and email reputation abuse by embedding an attacker-controlled domain in legitimate mail headers. This can also enable spam relay and BCC injection.

Recommendations Update to version 2.6.0.