VYPR

Packagist (Composer) package

s9y/serendipity

pkg:composer/s9y/serendipity

Vulnerabilities (2)

  • CVE-2026-39971HigApr 15, 2026
    affected < 2.6.0fixed 2.6.0

    Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMTP header without validation, and the existing sanitization function serendipity_

  • CVE-2026-39963MedApr 15, 2026
    affected < 2.6.0fixed 2.6.0

    Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipity_setCookie() function in include/functions_config.inc.php uses $_SERVER['HTTP_HOST'] without validation as the domain parameter of setcookie(). An attacker who can influence the Host head