CVE-2026-39963: CWE-565: Reliance on Cookies without Validation and Integrity Checking in s9y Serendipity
Serendipity versions prior to 2. 6. 0 have a vulnerability in the serendipity_setCookie() function where the HTTP Host header is used without validation when setting cookies. This can allow an attacker who can manipulate the Host header at login to cause authentication cookies to be scoped to an attacker-controlled domain. The vulnerability enables session fixation, token leakage, and potential privilege escalation if an administrator logs in under a manipulated Host header. The issue has been fixed in version 2. 6. 0.
AI Analysis
Technical Summary
CVE-2026-39963 affects Serendipity weblog engine versions before 2.6.0. The serendipity_setCookie() function uses the unvalidated $_SERVER['HTTP_HOST'] value as the domain parameter in setcookie(). An attacker capable of influencing the Host header during login (e.g., via MITM, reverse proxy misconfiguration, or load balancer manipulation) can cause authentication cookies, including session and auto-login tokens, to be scoped to a domain controlled by the attacker. This leads to session fixation, leakage of tokens to attacker infrastructure, and possible privilege escalation if an admin authenticates under the poisoned Host header. The vulnerability is tracked as CWE-565 (Reliance on Cookies without Validation and Integrity Checking). The issue is resolved in Serendipity version 2.6.0.
Potential Impact
Exploitation allows attackers to fix sessions or leak authentication tokens by manipulating the Host header, potentially leading to unauthorized access and privilege escalation, especially if an administrator logs in under the attacker-controlled domain. The CVSS score of 6.9 (medium severity) reflects the network attack vector, high confidentiality impact, limited integrity impact, and no availability impact.
Mitigation Recommendations
Upgrade Serendipity to version 2.6.0 or later, where this vulnerability has been fixed. Patch status is not explicitly stated beyond the fix in version 2.6.0, so users should verify they are running this or a newer version. No vendor advisory was provided to indicate alternative mitigations or temporary fixes.
CVE-2026-39963: CWE-565: Reliance on Cookies without Validation and Integrity Checking in s9y Serendipity
Description
Serendipity versions prior to 2. 6. 0 have a vulnerability in the serendipity_setCookie() function where the HTTP Host header is used without validation when setting cookies. This can allow an attacker who can manipulate the Host header at login to cause authentication cookies to be scoped to an attacker-controlled domain. The vulnerability enables session fixation, token leakage, and potential privilege escalation if an administrator logs in under a manipulated Host header. The issue has been fixed in version 2. 6. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-39963 affects Serendipity weblog engine versions before 2.6.0. The serendipity_setCookie() function uses the unvalidated $_SERVER['HTTP_HOST'] value as the domain parameter in setcookie(). An attacker capable of influencing the Host header during login (e.g., via MITM, reverse proxy misconfiguration, or load balancer manipulation) can cause authentication cookies, including session and auto-login tokens, to be scoped to a domain controlled by the attacker. This leads to session fixation, leakage of tokens to attacker infrastructure, and possible privilege escalation if an admin authenticates under the poisoned Host header. The vulnerability is tracked as CWE-565 (Reliance on Cookies without Validation and Integrity Checking). The issue is resolved in Serendipity version 2.6.0.
Potential Impact
Exploitation allows attackers to fix sessions or leak authentication tokens by manipulating the Host header, potentially leading to unauthorized access and privilege escalation, especially if an administrator logs in under the attacker-controlled domain. The CVSS score of 6.9 (medium severity) reflects the network attack vector, high confidentiality impact, limited integrity impact, and no availability impact.
Mitigation Recommendations
Upgrade Serendipity to version 2.6.0 or later, where this vulnerability has been fixed. Patch status is not explicitly stated beyond the fix in version 2.6.0, so users should verify they are running this or a newer version. No vendor advisory was provided to indicate alternative mitigations or temporary fixes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-08T00:01:47.626Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ded57682d89c981f20b4a4
Added to database: 4/15/2026, 12:01:58 AM
Last enriched: 4/15/2026, 12:17:06 AM
Last updated: 4/15/2026, 1:11:16 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.