CVE-2016-10737

MEDIUM

Serendipity 2.0.4 - Cross-Site Scripting via serendipity[body] Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-10737. PoCs published by Besim.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Serendipity <= 2.0.4, where an attacker can inject malicious JavaScript into the 'Entry Body' field, which executes when viewed by other users. The PoC includes a sample HTTP request with the payload.

Description

Serendipity 2.0.4 has XSS via the serendipity_admin.php serendipity[body] parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Besim · textwebappsphp

https://www.exploit-db.com/exploits/40650

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in Serendipity <= 2.0.4, where an attacker can inject malicious JavaScript into the 'Entry Body' field, which executes when viewed by other users. The PoC includes a sample HTTP request with the payload.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Serendipity <= 2.0.4

Auth required

Prerequisites: Valid user credentials to access the 'New Entry' feature

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/40650

Scores

CVSS v3 5.4

EPSS 0.0062

EPSS Percentile 44.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

s9y/serendipity 2.0.4

Published Jan 16, 2019

Tracked Since Feb 18, 2026