CVE-2026-39971
SMTP Header Injection in Serendipity Email Function Enables Spoofing
Publication date: 2026-04-15
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| s9y | serendipity | to 2.6.0 (exc) |
| s9y | serendipity | 2.6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-113 | The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to inject arbitrary SMTP headers into outgoing emails by manipulating the HTTP Host header. This can lead to identity spoofing, reply hijacking, and email reputation abuse.
Such unauthorized manipulation of email headers and potential spoofing can undermine the integrity and confidentiality of email communications, which are critical aspects of compliance with standards like GDPR and HIPAA.
Specifically, GDPR requires protection of personal data and secure communication channels, while HIPAA mandates safeguarding electronic protected health information (ePHI). Exploitation of this vulnerability could lead to unauthorized disclosure or alteration of sensitive information via email, thus potentially violating these regulations.
Therefore, until patched, systems using vulnerable versions of Serendipity may face compliance risks related to data integrity, confidentiality, and secure communication requirements.
Can you explain this vulnerability to me?
CVE-2026-39971 is a high-severity vulnerability in the Serendipity blogging platform (versions 2.6-beta2 and below) that allows an attacker to inject arbitrary SMTP headers into outgoing emails.
The issue arises because the email sending function inserts the HTTP Host header ($_SERVER['HTTP_HOST']) directly into the Message-ID SMTP header without proper validation or sanitization.
An attacker who can control the Host header during actions that trigger emails (like comment notifications or subscription emails) can manipulate the Message-ID header to inject malicious SMTP headers.
This enables attacks such as identity spoofing, reply hijacking via manipulated email threading, and abuse of email reputation by embedding attacker domains in legitimate mail headers.
The vulnerability was fixed in Serendipity version 2.6.0 by properly sanitizing the Host header before embedding it in email headers.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to manipulate outgoing emails from your Serendipity weblog.
- Spam relay: Attackers can use your server to send spam emails.
- BCC injection: Attackers can add unauthorized blind carbon copy recipients.
- Email spoofing and identity spoofing: Emails can appear to come from attacker-controlled domains, damaging trust.
- Reply hijacking: Manipulated Message-ID headers can redirect email replies to attacker infrastructure.
- Email reputation abuse: Embedding attacker domains in legitimate mail headers can harm your email reputation.
Emails affected include comment notifications, subscription notifications, and potentially password reset emails.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring outgoing emails generated by the Serendipity weblog engine for suspicious or malformed Message-ID headers that include unexpected or attacker-controlled domain names. Specifically, look for Message-ID headers containing unusual or manipulated HTTP_HOST values.
To detect exploitation attempts, you can capture HTTP requests to the Serendipity server and inspect the Host headers for suspicious or unusual values that could be used to inject SMTP headers.
Suggested commands include:
- Use tcpdump or Wireshark to capture HTTP traffic and filter for Host headers: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'Host:'
- Search mail logs for suspicious Message-ID headers containing unexpected domains: grep -i 'Message-ID' /var/log/mail.log | grep -v 'yourdomain.com'
- Check web server logs for HTTP requests with unusual Host headers that could be used for injection.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Serendipity to version 2.6.0 or later, where this vulnerability has been fixed.
If upgrading is not immediately possible, apply a patch to sanitize the HTTP_HOST value before embedding it in email headers. This involves restricting the HTTP_HOST to valid hostname characters only, for example by using a regular expression to remove invalid characters.
Specifically, modify the code that constructs the Message-ID header to sanitize the host value as follows:
- $safe_host = preg_replace('/[^a-zA-Z0-9.\-]/', '', parse_url('http://' . $_SERVER['HTTP_HOST'], PHP_URL_HOST));
- $maildata['headers'][] = 'Message-ID: <' . bin2hex(random_bytes(16)) . '@' . $safe_host . '>';
Additionally, monitor outgoing emails and HTTP requests for signs of exploitation and consider restricting or validating Host headers at the web server or application firewall level.