Session Fixation Vulnerability in Serendipity Weblog Engine
CVE-2026-39963

6.9MEDIUM

Key Information:

Vendor: S9y
Status: Serendipity
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-39963?

The vulnerability exists in the Serendipity Weblog Engine, specifically in the serendipity_setCookie() function located in include/functions_config.inc.php. In versions 2.6-beta2 and earlier, this function improperly utilizes $_SERVER['HTTP_HOST'] as the domain for the setcookie() function without sufficient validation. This oversight allows an attacker to manipulate the Host header during the login process, exploiting scenarios such as MITM attacks, misconfigured reverse proxies, or malicious load balancers. Such exploitation results in the risk of authentication cookies being scoped to a domain under the attacker's control, potentially leading to session fixation, leakage of sensitive tokens, and privilege escalation if an admin logs in through a compromised Host header. The vulnerability was addressed in version 2.6.0.

Affected Version(s)

Serendipity < 2.6.0

References

https://github.com/s9y/Serendipity/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/s9y/Serendipity/releases/tag/2.6.0

x_refsource_MISC

CVSS V3.1

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Apr 8, 2026

CVE-2026-39963 Data

JSON

S9y

What is CVE-2026-39963?

Affected Version(s)

References

CVSS V3.1

Timeline