Serendipity 2.4.0 Authenticated Remote Code Execution via File Upload

Advisories

severity: high
date: December 17, 2025
Affecting: Serendipity 2.4.0
CVE: CVE-2023-53933
CWE: CWE-434 Unrestricted Upload of File with Dangerous Type
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-51372
Official Product Homepage
Credit: Mirabbas Ağalarov
Description: Serendipity 2.4.0 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension. Attackers can upload files with system command payloads to the media upload endpoint and execute arbitrary commands on the server.