CVE-2026-39971: Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header

April 14, 2026 (updated April 27, 2026)

Serendipity inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMTP header without any validation beyond CRLF stripping. An attacker who can control the Host header during an email-triggering action can inject arbitrary SMTP headers into outgoing emails, enabling spam relay, BCC injection, and email spoofing.

References

github.com/advisories/GHSA-458g-q4fh-mj6r
github.com/s9y/Serendipity
github.com/s9y/Serendipity/releases/tag/2.6.0
github.com/s9y/Serendipity/security/advisories/GHSA-458g-q4fh-mj6r
nvd.nist.gov/vuln/detail/CVE-2026-39971

Code Behaviors & Features

Detect and mitigate CVE-2026-39971 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →