[MEDIUM] Serendipity has a Host Header Injection allows authentication cookie scoping to attacker-controlled domain in functions_config.inc.php

PKSA-vfgc-2rdq-w256 CVE-2026-39963 GHSA-4m6c-649p-f6gf

Affected package: s9y/serendipity

Affected version: <2.6.0

Reported by:
GitHub