[HIGH] Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header

PKSA-fdbd-416g-v2zm CVE-2026-39971 GHSA-458g-q4fh-mj6r

Affected package: s9y/serendipity

Affected version: <2.6.0

Reported by:
GitHub