CVE-2026-39963
Host Header Injection in Serendipity Enables Session Fixation
Publication date: 2026-04-15
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| s9y | serendipity | to 2.6.0 (exc) |
| s9y | serendipity | 2.6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-565 | The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39963 is a Host Header Injection vulnerability in the Serendipity PHP weblog engine (versions 2.6-beta2 and below). The issue arises because the serendipity_setCookie() function uses the HTTP Host header ($_SERVER['HTTP_HOST']) directly without validation when setting authentication cookies.
An attacker who can manipulate the Host header during login (for example, via Man-in-the-Middle attacks, reverse proxy misconfiguration, or load balancer manipulation) can cause authentication cookies, including session tokens and auto-login tokens, to be scoped to a domain controlled by the attacker.
This allows the attacker to perform session fixation, leak sensitive tokens to their infrastructure, and escalate privileges if an administrator logs in under the manipulated Host header.
The vulnerability was fixed in Serendipity version 2.6.0 by validating the Host header against the configured site URL before using it as the cookie domain.
How can this vulnerability impact me? :
This vulnerability can have several serious impacts on users and administrators of Serendipity:
- Session Fixation: Attackers can pre-set cookies scoped to their domain and trick users into authenticating, causing users to inherit attacker-controlled cookies.
- Token Leakage: Sensitive authentication tokens such as auto-login tokens may be leaked to attacker-controlled domains, compromising user accounts.
- Privilege Escalation: If an administrator logs in while the Host header is manipulated, their admin session token can be compromised, allowing attackers to gain elevated privileges.
Overall, this vulnerability can lead to unauthorized access, session hijacking, and compromise of administrative control.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Serendipity weblog engine is running a version 2.6-beta2 or below, where the serendipity_setCookie() function uses the HTTP Host header without validation.
To detect exploitation attempts or presence of the vulnerability on your system, you can monitor HTTP requests for unusual or manipulated Host headers, especially during login attempts.
Commands to help detect this might include capturing and inspecting HTTP traffic for suspicious Host headers using tools like tcpdump or Wireshark, for example:
- tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep 'Host:'
- Use web server logs to search for login requests with unexpected Host headers, e.g., using grep:
- grep 'POST /login' /var/log/apache2/access.log | grep -i 'Host: attacker.com'
Additionally, reviewing the application version and code for the vulnerable function usage can help confirm if the system is affected.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended step to mitigate this vulnerability is to upgrade Serendipity to version 2.6.0 or later, where the issue has been fixed.
Version 2.6.0 includes security enhancements that mitigate host header attacks by validating the Host header before using it in cookie setting.
If upgrading immediately is not possible, a temporary mitigation involves patching the serendipity_setCookie() function to validate the HTTP_HOST header against the configured site URL before using it as the cookie domain.
- Validate the Host header by comparing it to the configured site URL host and use the configured host if they differ.
- Restrict or sanitize incoming Host headers at the web server or reverse proxy level to prevent attacker-controlled values.
- Monitor and audit login requests for suspicious Host header values to detect potential exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to hijack user sessions by manipulating the Host header, leading to session fixation, token leakage, and privilege escalation. This can result in unauthorized access to sensitive user data and authentication tokens.
Such unauthorized access and leakage of authentication tokens could potentially violate data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information to prevent unauthorized disclosure and ensure data integrity.
Therefore, if exploited, this vulnerability may lead to non-compliance with these standards due to compromised confidentiality and integrity of user data.