S9y 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk csrf、パス処理の欠陥, and vendor risk ssrf に関連することが多く、vendor surface software deployment and vendor surface production workloads の文脈で vendor impact session compromise and vendor impact data exposure などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-39971 | Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMTP header without validation, and the existing sanitization function serendipity_isResponseClean() is not called on HTTP_HOST before embedding it. An attacker who can control the Host header during an email-triggering action such as comment notifications or subscription emails can inject arbitrary SM | [email protected] | 7.2 | 0.06% | 2026-04-15 | 2026-04-23 |
| CVE-2026-39963 | Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipity_setCookie() function in include/functions_config.inc.php uses $_SERVER['HTTP_HOST'] without validation as the domain parameter of setcookie(). An attacker who can influence the Host header at login time, such as via MITM, reverse proxy misconfiguration, or load balancer manipulation, can force authentication cookies including session tokens and auto-login tokens to be scoped to an attacker-controlled do | [email protected] | 6.9 | 0.05% | 2026-04-15 | 2026-04-23 |
| CVE-2023-53933 | Serendipity 2.4.0 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension. Attackers can upload files with system command payloads to the media upload endpoint and execute arbitrary commands on the server. | [email protected] | 8.7 | 0.64% | 2025-12-17 | 2025-12-24 |
| CVE-2023-53932 | Serendipity 2.4.0 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through blog entry creation. Attackers can craft entries with JavaScript payloads that will execute when other users view the compromised blog post. | [email protected] | 5.1 | 0.03% | 2025-12-17 | 2025-12-27 |
| CVE-2024-58282 | Serendipity 2.5.0 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload mechanism by creating a PHP shell with a command execution form that enables arbitrary system command execution on the web server. | [email protected] | 8.6 | 0.38% | 2025-12-10 | 2025-12-19 |
| CVE-2023-31576 | An arbitrary file upload vulnerability in Serendipity 2.4-beta1 allows attackers to execute arbitrary code via a crafted HTML or Javascript file. | [email protected] | 8.8 | 0.88% | 2023-05-16 | 2025-01-23 |
| CVE-2020-10964 | Serendipity before 2.3.4 on Windows allows remote attackers to execute arbitrary code because the filename of a renamed file may end with a dot. This file may then be renamed to have a .php filename. | [email protected] | 9.8 | 3.80% | 2020-03-25 | 2024-11-21 |
| CVE-2011-3610 | A Cross-site Scripting (XSS) vulnerability exists in the Serendipity freetag plugin before 3.30 in the tagcloud parameter to plugins/serendipity_event_freetag/tagcloud.swf. | [email protected] | 6.1 | 0.35% | 2020-01-22 | 2024-11-21 |
| CVE-2011-4090 | Serendipity before 1.6 has an XSS issue in the karma plugin which may allow privilege escalation. | [email protected] | 6.1 | 1.43% | 2019-11-26 | 2024-11-21 |
| CVE-2011-1135 | Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code in plugins/ExtendedFileManager/manager.php and plugins/ImageManager/manager.php. | [email protected] | 6.1 | 0.86% | 2019-11-05 | 2024-11-21 |
| CVE-2011-1134 | Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code in the image manager. | [email protected] | 9.8 | 5.00% | 2019-11-05 | 2024-11-21 |
| CVE-2011-1133 | Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code via plugins/ExtendedFileManager/backend.php. | [email protected] | 6.1 | 0.86% | 2019-11-05 | 2024-11-21 |
| CVE-2016-10752 | serendipity_moveMediaDirectory in Serendipity 2.0.3 allows remote attackers to upload and execute arbitrary PHP code because it mishandles an extensionless filename during a rename, as demonstrated by "php" as a filename. | [email protected] | 9.8 | 0.75% | 2019-05-24 | 2024-11-21 |
| CVE-2019-11870 | Serendipity before 2.1.5 has XSS via EXIF data that is mishandled in the templates/2k11/admin/media_choose.tpl Editor Preview feature or the templates/2k11/admin/media_items.tpl Media Library feature. | [email protected] | 6.1 | 0.43% | 2019-05-09 | 2024-11-21 |
| CVE-2016-10737 | Serendipity 2.0.4 has XSS via the serendipity_admin.php serendipity[body] parameter. | [email protected] | 5.4 | 0.28% | 2019-01-16 | 2024-11-21 |
| CVE-2017-1000129 | Serendipity 2.0.3 is vulnerable to a SQL injection in the blog component resulting in information disclosure | [email protected] | 7.5 | 0.33% | 2017-11-17 | 2026-05-13 |
| CVE-2017-8102 | Stored XSS in Serendipity v2.1-rc1 allows an attacker to steal an admin's cookie and other information by composing a new entry as an editor user. This is related to lack of the serendipity_event_xsstrust plugin and a set_config error in that plugin. | [email protected] | 5.4 | 0.18% | 2017-04-24 | 2026-05-13 |
| CVE-2017-8101 | There is CSRF in Serendipity 2.0.5, allowing attackers to install any themes via a GET request. | [email protected] | 8.8 | 0.12% | 2017-04-24 | 2026-05-13 |
| CVE-2017-5609 | SQL injection vulnerability in include/functions_entries.inc.php in Serendipity 2.0.5 allows remote authenticated users to execute arbitrary SQL commands via the cat parameter. | [email protected] | 8.8 | 1.01% | 2017-01-28 | 2026-05-13 |
| CVE-2017-5476 | Serendipity through 2.0.5 allows CSRF for the installation of an event plugin or a sidebar plugin. | [email protected] | 8.8 | 0.16% | 2017-01-14 | 2026-05-13 |