[HIGH] Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header

PKSA-fdbd-416g-v2zm CVE-2026-39971 GHSA-458g-q4fh-mj6r

Affected version: <2.6.0

Reported by:
GitHub

[MEDIUM] Serendipity has a Host Header Injection allows authentication cookie scoping to attacker-controlled domain in functions_config.inc.php

PKSA-vfgc-2rdq-w256 CVE-2026-39963 GHSA-4m6c-649p-f6gf

Affected version: <2.6.0

Reported by:
GitHub