CVE-2026-39971

Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $SERVER'HTTPHOST' directly into the Message-ID SMTP header without validation, and the existing sanitization function serendipityisResponseClean is not...

GHSA-458G-Q4FH-MJ6R Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header

Summary Serendipity inserts $SERVER'HTTPHOST' directly into the Message-ID SMTP header without any validation beyond CRLF stripping. An attacker who can control the Host header during an email-triggering action can inject arbitrary SMTP headers into outgoing emails, enabling spam relay, BCC...

Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header

Summary Serendipity inserts $SERVER'HTTPHOST' directly into the Message-ID SMTP header without any validation beyond CRLF stripping. An attacker who can control the Host header during an email-triggering action can inject arbitrary SMTP headers into outgoing emails, enabling spam relay, BCC...

Cloudflare Agents SDK has Insecure Direct Object Reference (IDOR) via Header-Based Email Routing

Summary An Insecure Direct Object Reference CWE-639 has been found to exist in createHeaderBasedEmailResolver function within the Cloudflare Agents SDK. The issue occurs because the Message-ID and References headers are parsed to derive the target agentName and agentId without proper validation o...

CVE-2026-1664

Summary: CVE-2026-1664 affects Cloudflare Agents SDK prior to 0.3.7, due to an IDOR in header-based email routing. Root cause: createHeaderBasedEmailResolver() parses Message-ID and References to derive target agentName/agentId without cryptographic/origin verification, letting external headers s...

CVE-2026-1664 Insecure Direct Object Reference (IDOR) via Header-Based Email Routing

Summary An Insecure Direct Object Reference has been found to exist in createHeaderBasedEmailResolver function within the Cloudflare Agents SDK. The issue occurs because the Message-ID and References headers are parsed to derive the target agentName and agentId without proper validation or origin...

EUVD-2005-0128

Malware in sbrugna...

EUVD-2017-3347

Malware in sbrugna...

CVE-2017-11737

interface/js/app/history.js in WebUI in Rspamd before 1.6.3 allows XSS via the Subject and Message-Id headers, which are mishandled in the history page...

DEBIAN-CVE-2017-11737

interface/js/app/history.js in WebUI in Rspamd before 1.6.3 allows XSS via the Subject and Message-Id headers, which are mishandled in the history page...

UBUNTU-CVE-2017-11737

interface/js/app/history.js in WebUI in Rspamd before 1.6.3 allows XSS via the Subject and Message-Id headers, which are mishandled in the history page...

CVE-2005-0127

Mail in Mac OS X 10.3.7, when generating a Message-ID header, generates a GUUID that includes information that identifies the Ethernet hardware being used, which allows remote attackers to link mail messages to a particular machine...

Apple Mac OS X vulnerable to information disclosure in "Message-ID" header

Overview The Mail application supplied with Apple's Mac OS X operating system identifies the system from which any electronic mail is sent. Description Mac OS X includes the Mail application for handling electronic mail. This application does include the Media Access Control MAC address of a...

CVE-2005-0127

Mail in Mac OS X 10.3.7, when generating a Message-ID header, generates a GUUID that includes information that identifies the Ethernet hardware being used, which allows remote attackers to link mail messages to a particular machine...

CVE-2001-1174

Buffer overflow in Elm 2.5.5 and earlier allows remote attackers to execute arbitrary code via a long Message-ID header...

CVE-2001-1174

Buffer overflow in Elm 2.5.5 and earlier allows remote attackers to execute arbitrary code via a long Message-ID header...