S9y Serendipity
28 CVEs affecting S9y Serendipity. Latest disclosed: 2026-04-14. Critical: 1, High: 8.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2016-10082 | Critical | 9.8 | 2016-12-30 | include/functions_installer.inc.php in Serendipity through 2.0.5 is vulnerable to File Inclusion and a possible Code Execution attack during a first-time insta… |
CVE-2023-53933 | High | 8.8 | 2025-12-17 | Serendipity 2.4.0 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension. Attack… |
CVE-2017-8101 | High | 8.8 | 2017-04-24 | There is CSRF in Serendipity 2.0.5, allowing attackers to install any themes via a GET request. |
CVE-2017-5609 | High | 8.8 | 2017-01-28 | SQL injection vulnerability in include/functions_entries.inc.php in Serendipity 2.0.5 allows remote authenticated users to execute arbitrary SQL commands via t… |
CVE-2017-5476 | High | 8.8 | 2017-01-14 | Serendipity through 2.0.5 allows CSRF for the installation of an event plugin or a sidebar plugin. |
CVE-2017-5475 | High | 8.8 | 2017-01-14 | comment.php in Serendipity through 2.0.5 allows CSRF in deleting any comments. |
CVE-2016-9752 | High | 8.6 | 2016-12-01 | In Serendipity before 2.0.5, an attacker can bypass SSRF protection by using a malformed IP address (e.g., http://127.1) or a 30x (aka Redirection) HTTP status… |
CVE-2017-1000129 | High | 7.5 | 2017-11-17 | Serendipity 2.0.3 is vulnerable to a SQL injection in the blog component resulting in information disclosure |
CVE-2026-39971 | High | 7.2 | 2026-04-14 | Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTT… |
CVE-2026-39963 | Medium | 6.9 | 2026-04-14 | Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipity_setCookie() function in include/functions_config.inc.php uses $_S… |
CVE-2017-5474 | Medium | 6.1 | 2017-01-14 | Open redirect vulnerability in comment.php in Serendipity through 2.0.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing a… |
CVE-2023-53932 | Medium | 5.4 | 2025-12-17 | Serendipity 2.4.0 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through blog entry creation… |
CVE-2017-8102 | Medium | 5.4 | 2017-04-24 | Stored XSS in Serendipity v2.1-rc1 allows an attacker to steal an admin's cookie and other information by composing a new entry as an editor user. This is rela… |
CVE-2016-9681 | Medium | 5.4 | 2016-12-25 | Multiple cross-site scripting (XSS) vulnerabilities in Serendipity before 2.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a c… |
CVE-2015-8603 | Medium | 5.4 | 2016-01-12 | Cross-site scripting (XSS) vulnerability in Serendipity before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the serendipity[entry_i… |
CVE-2015-6969 | | 2015-09-16 | Cross-site scripting (XSS) vulnerability in js/2k11.min.js in the 2k11 theme in Serendipity before 2.0.2 allows remote attackers to inject arbitrary web script… | |
CVE-2015-6968 | | 2015-09-16 | Multiple incomplete blacklist vulnerabilities in the serendipity_isActiveFile function in include/functions_images.inc.php in Serendipity before 2.0.2 allow re… | |
CVE-2015-6943 | | 2015-09-15 | SQL injection vulnerability in the serendipity_checkCommentToken function in include/functions_comments.inc.php in Serendipity before 2.0.2, when "Use Tokens f… | |
CVE-2015-2289 | | 2015-03-23 | Cross-site scripting (XSS) vulnerability in templates/2k11/admin/entries.tpl in Serendipity before 2.0.1 allows remote authenticated editors to inject arbitrar… | |
CVE-2014-9432 | | 2014-12-31 | Multiple cross-site scripting (XSS) vulnerabilities in templates/2k11/admin/overview.inc.tpl in Serendipity before 2.0-rc2 allow remote attackers to inject arb… |