CVE-2026-39963: CWE-565: Reliance on Cookies without Validation and Integrity Checking in s9y Serendipity
Serendipity versions prior to 2. 6. 0 contain a vulnerability where the function serendipity_setCookie() uses the HTTP Host header without validation when setting cookies. This allows an attacker who can manipulate the Host header during login to cause authentication cookies to be scoped to an attacker-controlled domain. The vulnerability enables session fixation, token leakage, and potential privilege escalation if an administrator logs in under a manipulated Host header. The issue is fixed in version 2. 6. 0.
AI Analysis
Technical Summary
CVE-2026-39963 affects Serendipity weblog engine versions before 2.6.0. The vulnerability arises because serendipity_setCookie() uses the unvalidated $_SERVER['HTTP_HOST'] value as the domain parameter in setcookie(). An attacker capable of influencing the Host header (e.g., via MITM, reverse proxy misconfiguration, or load balancer manipulation) can cause authentication cookies, including session and auto-login tokens, to be scoped to a domain controlled by the attacker. This can lead to session fixation, leakage of authentication tokens to attacker infrastructure, and privilege escalation if an admin logs in with a poisoned Host header. The vulnerability is classified under CWE-565 (Reliance on Cookies without Validation and Integrity Checking).
Potential Impact
Successful exploitation allows attackers to fix sessions, steal authentication tokens, and escalate privileges by manipulating cookie domains. This can compromise user sessions, including administrative accounts, leading to unauthorized access. The CVSS score is 6.9 (medium severity), reflecting network attack vector with high confidentiality impact but limited integrity and no availability impact.
Mitigation Recommendations
Upgrade Serendipity to version 2.6.0 or later, where this vulnerability is fixed. Since the vendor advisory indicates the issue is resolved in 2.6.0, applying this official fix is the recommended remediation. Patch status is confirmed by the vendor's versioning information. No additional mitigation steps are specified.
CVE-2026-39963: CWE-565: Reliance on Cookies without Validation and Integrity Checking in s9y Serendipity
Description
Serendipity versions prior to 2. 6. 0 contain a vulnerability where the function serendipity_setCookie() uses the HTTP Host header without validation when setting cookies. This allows an attacker who can manipulate the Host header during login to cause authentication cookies to be scoped to an attacker-controlled domain. The vulnerability enables session fixation, token leakage, and potential privilege escalation if an administrator logs in under a manipulated Host header. The issue is fixed in version 2. 6. 0.
CVSS v3.1
Score 6.9medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-39963 affects Serendipity weblog engine versions before 2.6.0. The vulnerability arises because serendipity_setCookie() uses the unvalidated $_SERVER['HTTP_HOST'] value as the domain parameter in setcookie(). An attacker capable of influencing the Host header (e.g., via MITM, reverse proxy misconfiguration, or load balancer manipulation) can cause authentication cookies, including session and auto-login tokens, to be scoped to a domain controlled by the attacker. This can lead to session fixation, leakage of authentication tokens to attacker infrastructure, and privilege escalation if an admin logs in with a poisoned Host header. The vulnerability is classified under CWE-565 (Reliance on Cookies without Validation and Integrity Checking).
Potential Impact
Successful exploitation allows attackers to fix sessions, steal authentication tokens, and escalate privileges by manipulating cookie domains. This can compromise user sessions, including administrative accounts, leading to unauthorized access. The CVSS score is 6.9 (medium severity), reflecting network attack vector with high confidentiality impact but limited integrity and no availability impact.
Mitigation Recommendations
Upgrade Serendipity to version 2.6.0 or later, where this vulnerability is fixed. Since the vendor advisory indicates the issue is resolved in 2.6.0, applying this official fix is the recommended remediation. Patch status is confirmed by the vendor's versioning information. No additional mitigation steps are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-08T00:01:47.626Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ded57682d89c981f20b4a4
Added to database: 4/15/2026, 12:01:58 AM
Last enriched: 4/22/2026, 6:50:24 AM
Last updated: 5/31/2026, 5:11:57 AM
Views: 292
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.