CVE-2026-39963
Received Received - Intake
Host Header Injection in Serendipity Enables Session Fixation

Publication date: 2026-04-15

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipity_setCookie() function in include/functions_config.inc.php uses $_SERVER['HTTP_HOST'] without validation as the domain parameter of setcookie(). An attacker who can influence the Host header at login time, such as via MITM, reverse proxy misconfiguration, or load balancer manipulation, can force authentication cookies including session tokens and auto-login tokens to be scoped to an attacker-controlled domain. This enables session fixation, token leakage to attacker-controlled infrastructure, and privilege escalation if an admin logs in under a poisoned Host header. This issue has been fixed in version 2.6.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-14
NVD
CVE-2026-39963
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
s9y serendipity to 2.6.0 (exc)
s9y serendipity 2.6.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-565 The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39963 is a Host Header Injection vulnerability in the Serendipity PHP weblog engine (versions 2.6-beta2 and below). The issue arises because the serendipity_setCookie() function uses the HTTP Host header ($_SERVER['HTTP_HOST']) directly without validation when setting authentication cookies.

An attacker who can manipulate the Host header during login (for example, via Man-in-the-Middle attacks, reverse proxy misconfiguration, or load balancer manipulation) can cause authentication cookies, including session tokens and auto-login tokens, to be scoped to a domain controlled by the attacker.

This allows the attacker to perform session fixation, leak sensitive tokens to their infrastructure, and escalate privileges if an administrator logs in under the manipulated Host header.

The vulnerability was fixed in Serendipity version 2.6.0 by validating the Host header against the configured site URL before using it as the cookie domain.

Compliance Impact

The vulnerability allows attackers to hijack user sessions by manipulating the Host header, leading to session fixation, token leakage, and privilege escalation. This can result in unauthorized access to sensitive user data and authentication tokens.

Such unauthorized access and leakage of authentication tokens could potentially violate data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information to prevent unauthorized disclosure and ensure data integrity.

Therefore, if exploited, this vulnerability may lead to non-compliance with these standards due to compromised confidentiality and integrity of user data.

Impact Analysis

This vulnerability can have several serious impacts on users and administrators of Serendipity:

  • Session Fixation: Attackers can pre-set cookies scoped to their domain and trick users into authenticating, causing users to inherit attacker-controlled cookies.
  • Token Leakage: Sensitive authentication tokens such as auto-login tokens may be leaked to attacker-controlled domains, compromising user accounts.
  • Privilege Escalation: If an administrator logs in while the Host header is manipulated, their admin session token can be compromised, allowing attackers to gain elevated privileges.

Overall, this vulnerability can lead to unauthorized access, session hijacking, and compromise of administrative control.

Detection Guidance

This vulnerability can be detected by checking if the Serendipity weblog engine is running a version 2.6-beta2 or below, where the serendipity_setCookie() function uses the HTTP Host header without validation.

To detect exploitation attempts or presence of the vulnerability on your system, you can monitor HTTP requests for unusual or manipulated Host headers, especially during login attempts.

Commands to help detect this might include capturing and inspecting HTTP traffic for suspicious Host headers using tools like tcpdump or Wireshark, for example:

  • tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep 'Host:'
  • Use web server logs to search for login requests with unexpected Host headers, e.g., using grep:
  • grep 'POST /login' /var/log/apache2/access.log | grep -i 'Host: attacker.com'

Additionally, reviewing the application version and code for the vulnerable function usage can help confirm if the system is affected.

Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to upgrade Serendipity to version 2.6.0 or later, where the issue has been fixed.

Version 2.6.0 includes security enhancements that mitigate host header attacks by validating the Host header before using it in cookie setting.

If upgrading immediately is not possible, a temporary mitigation involves patching the serendipity_setCookie() function to validate the HTTP_HOST header against the configured site URL before using it as the cookie domain.

  • Validate the Host header by comparing it to the configured site URL host and use the configured host if they differ.
  • Restrict or sanitize incoming Host headers at the web server or reverse proxy level to prevent attacker-controlled values.
  • Monitor and audit login requests for suspicious Host header values to detect potential exploitation attempts.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39963. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart