Email Injection Vulnerability in Serendipity Weblog Engine
CVE-2026-39971

7.2HIGH

Key Information:

Vendor: S9y
Status: Serendipity
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-39971?

The Serendipity Weblog Engine contains a vulnerability in the email sending functionality where the HTTP_HOST value is directly inserted into the Message-ID SMTP header without proper validation. This flaw allows attackers to manipulate the Host header during actions like comment notifications or subscription emails, leading to arbitrary SMTP header injection. Such exploitation could result in identity spoofing, reply hijacking through manipulated Message-ID threading, and email reputation abuse. The vulnerability has been addressed in version 2.6.0.

Affected Version(s)

Serendipity < 2.6.0

References

https://github.com/s9y/Serendipity/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/s9y/Serendipity/releases/tag/2.6.0

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Apr 8, 2026

CVE-2026-39971 Data

JSON

S9y

What is CVE-2026-39971?

Affected Version(s)

References

CVSS V3.1

Timeline