Primary

Context

Serendipity Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability has been identified in Serendipity version 2.4.0. This vulnerability allows authenticated attackers to upload malicious PHP files with a .phar extension through the media upload endpoint. Once uploaded, these files can execute arbitrary commands on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Serendipity 2.4.0 is installed.

Reproduction

To reproduce this vulnerability, an authenticated user can upload a .phar file containing a PHP payload with system command instructions via the media upload endpoint. After uploading the file, it can be accessed through the uploads directory, where the embedded commands will be executed on the server.

Added: Dec 17, 2025, 11:27 PM

Updated: Dec 17, 2025, 11:27 PM

Vulnerability Rating

Custom Algorithm

spread

1.6

impact

10.0

exploitability

6.8

remediation

0.0

relevance

1.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.6

impact

10.0

exploitability

6.8

remediation

0.0

relevance

1.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Serendipity Remote Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Serendipity

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating