S9y: >> Serendipity Security Vulnerabilities
Serendipity 2.4.0 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through blog entry creation. Attackers can craft entries with JavaScript payloads that will execute when other users view the compromised blog post.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-12-17
Serendipity 2.4.0 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension. Attackers can upload files with system command payloads to the media upload endpoint and execute arbitrary commands on the server.
CVSS Score
8.8
EPSS Score
0.005
Published
2025-12-17
Serendipity 2.5.0 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload mechanism by creating a PHP shell with a command execution form that enables arbitrary system command execution on the web server.
CVSS Score
7.2
EPSS Score
0.004
Published
2025-12-10
An arbitrary file upload vulnerability in Serendipity 2.4-beta1 allows attackers to execute arbitrary code via a crafted HTML or Javascript file.
CVSS Score
8.8
EPSS Score
0.001
Published
2023-05-16
Serendipity before 2.3.4 on Windows allows remote attackers to execute arbitrary code because the filename of a renamed file may end with a dot. This file may then be renamed to have a .php filename.
CVSS Score
9.8
EPSS Score
0.038
Published
2020-03-25
Serendipity before 1.6 has an XSS issue in the karma plugin which may allow privilege escalation.
CVSS Score
6.1
EPSS Score
0.017
Published
2019-11-26
Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code via plugins/ExtendedFileManager/backend.php.
CVSS Score
6.1
EPSS Score
0.009
Published
2019-11-05
Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code in the image manager.
CVSS Score
9.8
EPSS Score
0.05
Published
2019-11-05
Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code in plugins/ExtendedFileManager/manager.php and plugins/ImageManager/manager.php.
CVSS Score
6.1
EPSS Score
0.009
Published
2019-11-05
serendipity_moveMediaDirectory in Serendipity 2.0.3 allows remote attackers to upload and execute arbitrary PHP code because it mishandles an extensionless filename during a rename, as demonstrated by "php" as a filename.
CVSS Score
9.8
EPSS Score
0.007
Published
2019-05-24
Page 1