Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1022869?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1022869?format=api", "purl": "pkg:composer/s9y/serendipity@2.5.0", "type": "composer", "namespace": "s9y", "name": "serendipity", "version": "2.5.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.6.0", "latest_non_vulnerable_version": "2.6.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89117?format=api", "vulnerability_id": "VCID-j6g2-a5cn-wuh9", "summary": "Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header\n### Summary\nSerendipity inserts `$_SERVER['HTTP_HOST']` directly into the `Message-ID` SMTP header without any validation beyond CRLF stripping. An attacker who can control the `Host` header during an email-triggering action can inject arbitrary SMTP headers into outgoing emails, enabling spam relay, BCC injection, and email spoofing.\n\n### Details\nIn `include/functions.inc.php:548`:\n```php\n$maildata['headers'][] = 'Message-ID: <' \n . bin2hex(random_bytes(16)) \n . '@' . $_SERVER['HTTP_HOST'] // ← unsanitized, attacker-controlled\n . '>';\n```\n\nThe existing sanitization function only blocks `\\r\\n` and URL-encoded variants:\n```php\nfunction serendipity_isResponseClean($d) {\n return (strpos($d, \"\\r\") === false && strpos($d, \"\\n\") === false \n && stripos($d, \"%0A\") === false && stripos($d, \"%0D\") === false);\n}\n```\n\nCritically, `serendipity_isResponseClean()` is **not even called** on `HTTP_HOST` before embedding it into the mail headers — making this exploitable with any character that SMTP interprets as a header delimiter.\n\nEmail is triggered by actions such as:\n- New comment notifications to blog owner\n- Comment subscription notifications to subscribers\n- Password reset emails (if configured)\n\n### PoC\n```bash\n# Trigger comment notification email with injected header\ncurl -s -X POST \\\n -H \"Host: attacker.com>\\r\\nBcc: victim@evil.com\\r\\nX-Injected:\" \\\n -d \"serendipity[comment]=test&serendipity[name]=hacker&serendipity[email]=a@b.com&serendipity[entry_id]=1\" \\\n http://[TARGET]/comment.php\n```\nResulting malicious `Message-ID` header in outgoing email:\n```\nMessage-ID: <deadbeef@attacker.com>\nBcc: victim@evil.com\nX-Injected: >\n```\n\n### Impact\nAn attacker can control the domain portion of the `Message-ID` header in all outgoing emails sent by Serendipity (comment notifications, subscriptions). \nThis enables:\n- **Identity spoofing** — emails appear to originate from attacker-controlled domain\n- **Reply hijacking** — some mail clients use Message-ID for threading, pointing replies toward attacker infrastructure\n- **Email reputation abuse** — attacker's domain embedded in legitimate mail headers\n### Suggested Fix\nSanitize `HTTP_HOST` before embedding in mail headers, and restrict to valid hostname characters only:\n```php\n$safe_host = preg_replace('/[^a-zA-Z0-9.\\-]/', '', \n parse_url('http://' . $_SERVER['HTTP_HOST'], PHP_URL_HOST)\n);\n$maildata['headers'][] = 'Message-ID: ';\n```", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39971", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20242", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20152", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20138", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20204", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.2025", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39971" }, { "reference_url": "https://github.com/s9y/Serendipity", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/s9y/Serendipity" }, { "reference_url": "https://github.com/s9y/Serendipity/releases/tag/2.6.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T16:20:55Z/" } ], "url": "https://github.com/s9y/Serendipity/releases/tag/2.6.0" }, { "reference_url": "https://github.com/s9y/Serendipity/security/advisories/GHSA-458g-q4fh-mj6r", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T16:20:55Z/" } ], "url": "https://github.com/s9y/Serendipity/security/advisories/GHSA-458g-q4fh-mj6r" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39971", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39971" }, { "reference_url": "https://github.com/advisories/GHSA-458g-q4fh-mj6r", "reference_id": "GHSA-458g-q4fh-mj6r", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-458g-q4fh-mj6r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110152?format=api", "purl": "pkg:composer/s9y/serendipity@2.6.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/s9y/serendipity@2.6.0" } ], "aliases": [ "CVE-2026-39971", "GHSA-458g-q4fh-mj6r" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j6g2-a5cn-wuh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89639?format=api", "vulnerability_id": "VCID-uvee-2342-37bz", "summary": "Serendipity has a Host Header Injection allows authentication cookie scoping to attacker-controlled domain in functions_config.inc.php\n### Summary\nThe `serendipity_setCookie()` function uses `$_SERVER['HTTP_HOST']` without validation as the `domain` parameter of `setcookie()`. An attacker can force authentication cookies — including session tokens and auto-login tokens — to be scoped to an attacker-controlled domain, facilitating session hijacking.\n\n### Details\nIn `include/functions_config.inc.php:726`:\n```php\nfunction serendipity_setCookie($name, $value, $securebyprot = true, ...) {\n $host = $_SERVER['HTTP_HOST']; // ← attacker-controlled, no validation\n\n if ($securebyprot) {\n if ($pos = strpos($host, \":\")) {\n $host = substr($host, 0, $pos); // strips port only\n }\n }\n\n setcookie(\"serendipity[$name]\", $value, [\n 'domain' => $host, // ← poisoned domain\n 'httponly' => $httpOnly,\n 'samesite' => 'Strict'\n ]);\n}\n```\n\nThis function is called during login with sensitive cookies:\n```php\n// functions_config.inc.php:455-498\nserendipity_setCookie('author_autologintoken', $rnd, true, false, true);\nserendipity_setCookie('author_username', $user);\nserendipity_setCookie('author_token', $hash);\n```\n\nIf an attacker can influence the `Host` header at login time (e.g. via MITM, reverse proxy misconfiguration, or load balancer), authentication cookies are issued scoped to the attacker's domain instead of the legitimate one.\n\n### PoC\n```bash\ncurl -v -X POST \\\n -H \"Host: attacker.com\" \\\n -d \"serendipity[user]=admin&serendipity[pass]=admin\" \\\n http://[TARGET]/serendipity_admin.php 2>&1 | grep -i \"set-cookie\"\n```\n\nExpected output:\n```http\nSet-Cookie: serendipity[author_token]=; domain=attacker.com; HttpOnly\n```\n\n### Impact\n- **Session fixation** — attacker pre-sets a cookie scoped to their domain, then tricks the victim into authenticating, inheriting the poisoned token\n- **Token leakage** — `author_autologintoken` scoped to wrong domain may be sent to attacker-controlled infrastructure\n- **Privilege escalation** — if admin logs in under a poisoned Host header, their admin token is compromised\n\n### Suggested Fix\nValidate `HTTP_HOST` against the configured `$serendipity['url']` before use:\n```php\nfunction serendipity_setCookie($name, $value, ...) {\n global $serendipity;\n $configured = parse_url($serendipity['url'], PHP_URL_HOST);\n $host = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']);\n $host = ($host === $configured) ? $host : $configured;\n\n setcookie(\"serendipity[$name]\", $value, [\n 'domain' => $host,\n ...\n ]);\n}\n```", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39963", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00075", "scoring_system": "epss", "scoring_elements": "0.22735", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00075", "scoring_system": "epss", "scoring_elements": "0.22641", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00075", "scoring_system": "epss", "scoring_elements": "0.22638", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00075", "scoring_system": "epss", "scoring_elements": "0.22688", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00075", "scoring_system": "epss", "scoring_elements": "0.2275", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39963" }, { "reference_url": "https://github.com/s9y/Serendipity", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/s9y/Serendipity" }, { "reference_url": "https://github.com/s9y/Serendipity/releases/tag/2.6.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T13:23:44Z/" } ], "url": "https://github.com/s9y/Serendipity/releases/tag/2.6.0" }, { "reference_url": "https://github.com/s9y/Serendipity/security/advisories/GHSA-4m6c-649p-f6gf", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T13:23:44Z/" } ], "url": "https://github.com/s9y/Serendipity/security/advisories/GHSA-4m6c-649p-f6gf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39963", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39963" }, { "reference_url": "https://github.com/advisories/GHSA-4m6c-649p-f6gf", "reference_id": "GHSA-4m6c-649p-f6gf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4m6c-649p-f6gf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110152?format=api", "purl": "pkg:composer/s9y/serendipity@2.6.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/s9y/serendipity@2.6.0" } ], "aliases": [ "CVE-2026-39963", "GHSA-4m6c-649p-f6gf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uvee-2342-37bz" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/s9y/serendipity@2.5.0" }