PatchSiren cyber security CVE debrief
CVE-2017-5609 S9y CVE debrief
CVE-2017-5609 is a high-severity SQL injection issue in Serendipity 2.0.5. According to the official NVD record, a remote authenticated user can trigger arbitrary SQL commands through the cat parameter in include/functions_entries.inc.php. NVD rates the issue CVSS 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high impact with relatively low attack complexity.
- Vendor
- S9y
- Product
- CVE-2017-5609
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-28
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-28
- Advisory updated
- 2026-05-13
Who should care
Administrators and operators running Serendipity 2.0.5, especially environments where authenticated users can reach the affected code path. Security teams should also care if the application stores sensitive content or has database privileges beyond the minimum required.
Technical summary
The vulnerability is classified as CWE-89 (SQL Injection). NVD maps it to cpe:2.3:a:s9y:serendipity:2.0.5 and describes the flaw in include/functions_entries.inc.php, where the cat parameter can be used by a remote authenticated user to influence SQL execution. The official references include an upstream patch commit and release notes, indicating a vendor fix path is available.
Defensive priority
High. The issue is network-reachable, requires only authenticated access, and is rated with high confidentiality, integrity, and availability impact. If Serendipity 2.0.5 is deployed, this should be treated as a priority patching and validation item.
Recommended defensive actions
- Upgrade to a Serendipity version that includes the upstream fix referenced by the official patch commit and release notes.
- Review and restrict who can obtain authenticated access to the application, since the flaw requires a valid login.
- Inspect database logs and application telemetry for unusual SQL activity tied to the affected code path.
- Verify that the affected parameter handling is properly validated and parameterized in any custom forks or downstream changes.
- If immediate patching is not possible, reduce exposure by limiting access to the application and monitoring administrative activity closely.
Evidence notes
The CVE was published on 2017-01-28 and later modified on 2026-05-13 in the official NVD record. NVD identifies the affected version as Serendipity 2.0.5 and cites CWE-89 with CVSS 3.0 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Official references include a SecurityFocus BID entry, an upstream GitHub patch commit, and Serendipity 2.1-rc1 release notes. The supplied corpus does not state a specific fixed stable release beyond those references.
Official resources
-
CVE-2017-5609 CVE record
CVE.org
-
CVE-2017-5609 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Release Notes, Third Party Advisory
Publicly disclosed through the official CVE/NVD record on 2017-01-28. The NVD entry was last modified on 2026-05-13. The supplied corpus links the issue to an upstream patch commit and release notes, supporting remediation availability.