CVE-2026-39971
Published: 15 April 2026
Summary
CVE-2026-39971 is a high-severity HTTP Request/Response Splitting (CWE-113) vulnerability in S9Y Serendipity. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of untrusted inputs such as the attacker-controlled HTTP_HOST value before embedding it into SMTP Message-ID headers, directly preventing header injection.
Mandates filtering of information outputs like email headers to block arbitrary SMTP header injection from unvalidated HTTP_HOST data.
Ensures timely remediation of flaws, such as the lack of sanitization on HTTP_HOST in Serendipity's email function, through patching to version 2.6.0 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing web app enables remote exploitation (T1190); SMTP header injection directly facilitates email spoofing and identity manipulation (T1672).
NVD Description
Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMTP header without validation, and the existing sanitization function serendipity_isResponseClean() is not called on HTTP_HOST before embedding…
more
it. An attacker who can control the Host header during an email-triggering action such as comment notifications or subscription emails can inject arbitrary SMTP headers into outgoing emails. This enables identity spoofing, reply hijacking via manipulated Message-ID threading, and email reputation abuse through the attacker's domain being embedded in legitimate mail headers. This issue has been fixed in version 2.6.0.
Deeper analysisAI
CVE-2026-39971 affects Serendipity, a PHP-powered weblog engine, in versions 2.6-beta2 and prior. The vulnerability resides in the email sending functionality within the file include/functions.inc.php, where the $_SERVER['HTTP_HOST'] value is directly inserted into the Message-ID SMTP header without proper validation. Notably, the existing sanitization function serendipity_isResponseClean() is not invoked on the HTTP_HOST value prior to its embedding, allowing untrusted input to propagate into outgoing email headers. The issue is classified under CWE-113 (HTTP response splitting) with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
An unauthenticated attacker (PR:N) can exploit this remotely (AV:N) with low complexity (AC:L) by controlling the Host header during email-triggering actions, such as comment notifications or subscription emails. Successful exploitation enables injection of arbitrary SMTP headers into legitimate outgoing emails from the Serendipity instance. This facilitates identity spoofing, reply hijacking through manipulated Message-ID threading that alters email conversations, and email reputation abuse by embedding the attacker's domain in headers of mail from trusted sources.
The Serendipity project has addressed this vulnerability in version 2.6.0, as detailed in the release notes and corresponding security advisory. Practitioners should upgrade to Serendipity 2.6.0 or later to mitigate the issue. Relevant resources include the GitHub release page at https://github.com/s9y/Serendipity/releases/tag/2.6.0 and the security advisory at https://github.com/s9y/Serendipity/security/advisories/GHSA-458g-q4fh-mj6r.
Details
- CWE(s)