Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Serendipity Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting) Vulnerability - CVE-2026-39971 - Vulnerability Database
Serendipity

Serendipity Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting) Vulnerability - CVE-2026-39971

High
Reference: CVE-2026-39971
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-39971
Title: Serendipity Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting) Vulnerability
Overview:

Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below the email sending functionality in include/functions.inc.php inserts _SERVER39HTTP_HOST39 directly into the Message-ID SMTP header without validation and the existing sanitization function serendipity_isResponseClean() is not called on HTTP_HOST before embedding it. An attacker who can control the Host header during an email-triggering action such as comment notifications or subscription emails can inject arbitrary SMTP headers into outgoing emails. This enables identity spoofing reply hijacking via manipulated Message-ID threading and email reputation abuse through the attacker39s domain being embedded in legitimate mail headers. This issue has been fixed in version 2.6.0.