Serendipity

This hub aggregates every CVE we track for Serendipity, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Serendipity.

• CVE-2026-39971Serendipity: Host Header Injection leads to SMTP header injection via unvalidated HTTP_HOST7.2Apr 14, 2026
• CVE-2026-39963Serendipity: Host Header Injection enables authentication cookie scoping to an attacker-controlled domain6.9Apr 14, 2026
• CVE-2023-53933Serendipity 2.4.0 Authenticated Remote Code Execution via File Upload8.8Dec 17, 2025
• CVE-2023-53932Serendipity 2.4.0 Stored Cross-Site Scripting via Admin Entry Creation5.4Dec 17, 2025
• CVE-2024-58282Serendipity 2.5.0 Remote Code Execution via Authenticated Media Upload7.2Dec 10, 2025
• CVE-2023-31576An arbitrary file upload vulnerability in Serendipity 2.4-beta1 allows attackers to execute arbitrary code via a crafted HTML or Javascript file.8.8May 16, 2023
• CVE-2020-10964Serendipity before 2.3.4 on Windows allows remote attackers to execute arbitrary code because the filename of a renamed file may end with a dot. This file may then be renamed to have a .php filename.9.8Mar 25, 2020
• CVE-2011-4090Serendipity before 1.6 has an XSS issue in the karma plugin which may allow privilege escalation.6.1Nov 26, 2019
• CVE-2011-1135Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code in plugins/ExtendedFileManager/manager.php and plugins/Im...6.1Nov 5, 2019
• CVE-2011-1134Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code in the image manager.9.8Nov 5, 2019
• CVE-2011-1133Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code via plugins/ExtendedFileManager/backend.php.6.1Nov 5, 2019
• CVE-2016-10752serendipity_moveMediaDirectory in Serendipity 2.0.3 allows remote attackers to upload and execute arbitrary PHP code because it mishandles an extensionless filename during a rename, as demonstrated...9.8May 24, 2019
• CVE-2019-11870Serendipity before 2.1.5 has XSS via EXIF data that is mishandled in the templates/2k11/admin/media_choose.tpl Editor Preview feature or the templates/2k11/admin/media_items.tpl Media Library feature.6.1May 9, 2019
• CVE-2016-10737Serendipity 2.0.4 has XSS via the serendipity_admin.php serendipity[body] parameter.5.4Jan 16, 2019
• CVE-2017-1000129Serendipity 2.0.3 is vulnerable to a SQL injection in the blog component resulting in information disclosure7.5Nov 17, 2017