CVE-2026-39971

CVE-2026-39971 affects Serendipity (PHP weblog). In versions 2.6-beta2 and earlier, include/functions.inc.php embeds the HTTP_HOST value into the SMTP Message-ID header without validation, and serendipity_isResponseClean() is not applied to HTTP_HOST before embedding. An attacker who can control ...

CVE-2026-39971 Serendipity: Host Header Injection leads to SMTP header injection via unvalidated HTTP_HOST

Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $SERVER'HTTPHOST' directly into the Message-ID SMTP header without validation, and the existing sanitization function serendipityisResponseClean is not...

CVE-2026-39971

Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $SERVER'HTTPHOST' directly into the Message-ID SMTP header without validation, and the existing sanitization function serendipityisResponseClean is not...

CVE-2026-39963 Serendipity: Host Header Injection enables authentication cookie scoping to an attacker-controlled domain

Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipitysetCookie function in include/functionsconfig.inc.php uses $SERVER'HTTPHOST' without validation as the domain parameter of setcookie. An attacker who can influence the Host header at login time, such as vi...

CVE-2026-39963

The CVE describes a vulnerability in Serendipity (PHP weblog engine) where the function serendipity_setCookie() in include/functions_config.inc.php uses $_SERVER['HTTP_HOST'] as the cookie domain without validation for versions 2.6-beta2 and earlier. An attacker who can influence the Host header ...

CVE-2026-39963 Serendipity: Host Header Injection enables authentication cookie scoping to an attacker-controlled domain

Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipitysetCookie function in include/functionsconfig.inc.php uses $SERVER'HTTPHOST' without validation as the domain parameter of setcookie. An attacker who can influence the Host header at login time, such as vi...

CVE-2026-39963

Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipitysetCookie function in include/functionsconfig.inc.php uses $SERVER'HTTPHOST' without validation as the domain parameter of setcookie. An attacker who can influence the Host header at login time, such as vi...

WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses

Summary The CORS origin validation fix in commit 986e64aad is incomplete. Two separate code paths still reflect arbitrary Origin headers with credentials allowed for all /api/ endpoints: 1 plugin/API/router.php lines 4-8 unconditionally reflect any origin before application code runs, and 2...

Unauthenticated Open Redirect, Arbitrary HTTP Response Header Injection, Missing CSRF, and Invisible-Mode Bypass in goshs `/?redirect` endpoint

Summary The GET /?redirect endpoint in goshs v2.0.0-beta.6 performs an HTTP redirect to any attacker-supplied url= value and writes any attacker-supplied header=Name: Value pair into the response, without scheme/host validation, without a header-name allow-list, without authentication in the...

GHSA-7QX6-F23W-3W7F Unauthenticated Open Redirect, Arbitrary HTTP Response Header Injection, Missing CSRF, and Invisible-Mode Bypass in goshs `/?redirect` endpoint

Summary The GET /?redirect endpoint in goshs v2.0.0-beta.6 performs an HTTP redirect to any attacker-supplied url= value and writes any attacker-supplied header=Name: Value pair into the response, without scheme/host validation, without a header-name allow-list, without authentication in the...

CVE-2026-35589

In nanobot versions before 0.1.5, the bridge’s WebSocket server (bridge/src/server.ts) binds to all interfaces (0.0.0.0) and does not validate the Origin header, enabling Cross-Site WebSocket Hijacking (CSWSH). Token authentication is disabled by default, allowing any website visited by a user to...

EUVD-2026-22811

Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTPHOST in Message-ID email header...

GHSA-458G-Q4FH-MJ6R Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header

Summary Serendipity inserts $SERVER'HTTPHOST' directly into the Message-ID SMTP header without any validation beyond CRLF stripping. An attacker who can control the Host header during an email-triggering action can inject arbitrary SMTP headers into outgoing emails, enabling spam relay, BCC...

Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header

Summary Serendipity inserts $SERVER'HTTPHOST' directly into the Message-ID SMTP header without any validation beyond CRLF stripping. An attacker who can control the Host header during an email-triggering action can inject arbitrary SMTP headers into outgoing emails, enabling spam relay, BCC...

HTTP Response Splitting

Overview Affected versions of this package are vulnerable to HTTP Response Splitting via the HTTPHOST value being directly embedded into the Message-ID header during email generation. An attacker can inject arbitrary SMTP headers into outgoing emails by supplying a crafted Host header during...

EUVD-2026-22809

Serendipity has a Host Header Injection allows authentication cookie scoping to attacker-controlled domain in functionsconfig.inc.php...

Reliance on Cookies without Validation and Integrity Checking

Overview Affected versions of this package are vulnerable to Reliance on Cookies without Validation and Integrity Checking via the serendipitysetCookie function. An attacker can cause authentication cookies, including session and auto-login tokens, to be scoped to an attacker-controlled domain by...

Serendipity has a Host Header Injection allows authentication cookie scoping to attacker-controlled domain in functions_config.inc.php

Summary The serendipitysetCookie function uses $SERVER'HTTPHOST' without validation as the domain parameter of setcookie. An attacker can force authentication cookies — including session tokens and auto-login tokens — to be scoped to an attacker-controlled domain, facilitating session hijacking...

GHSA-4M6C-649P-F6GF Serendipity has a Host Header Injection allows authentication cookie scoping to attacker-controlled domain in functions_config.inc.php

Summary The serendipitysetCookie function uses $SERVER'HTTPHOST' without validation as the domain parameter of setcookie. An attacker can force authentication cookies — including session tokens and auto-login tokens — to be scoped to an attacker-controlled domain, facilitating session hijacking...

GHSA-7H3J-592V-JCRP goshs's public collaborator feed leaks .goshs ACL credentials and enables unauthorized access

Summary goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including...