CVE-2026-10287 - Vulnerability Details

- SourceCodester SEO Meta Tag Extractor index.php get_headers server-side request forgery

Description

A vulnerability was determined in SourceCodester SEO Meta Tag Extractor 1.0. This vulnerability affects the function get_headers of the file /index.php. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

Published: 2026-06-01

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the get_headers function of index.php in SourceCodester SEO Meta Tag Extractor 1.0. Manipulation of the url argument allows an attacker to influence the request that the server makes to an arbitrary target. This creates a Server‑Side Request Forgery (SSRF) condition, enabling the caller to provoke the server to reach internal services, files, or other external resources that might otherwise be inaccessible. The consequence is the potential compromise of confidentiality, integrity, or availability of internal systems, depending on what resources are accessed.

Affected Systems

Affected are installations of SourceCodester SEO Meta Tag Extractor version 1.0, as identified by the CNA product name. No other versions were listed, so the impact is limited to that specific release.

Risk and Exploitability

The recorded CVSS score is 6.9, indicating a moderate to high severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is remote, meaning an adversary can trigger the SSRF from outside the network. Since the function is exposed via a publicly accessible endpoint, exploitation requires no privileged access beyond triggering the request; crafted URL parameters can be provided by an attacker to instruct the server to make arbitrary requests.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

SEO Meta Tag Extractor

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

If an official patch or newer version is released by SourceCodester, upgrade immediately to the fixed release.
In the absence of a patch, configure the web server or application firewall to restrict outbound connections from the SEO Meta Tag Extractor process to only whitelisted destinations and block requests to internal address ranges (e.g., 127.0.0.1, 10.x.x.x, 172.16.x.x, 192.168.x.x).
Deploy WAF or custom rule sets that validate the URL parameter against a list of allowed domains or block non‑HTTPS and suspect URI patterns, mitigating the impact of arbitrary outbound requests.

Generated by OpenCVE AI on June 1, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00045.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://hackmd.io/@Kq4PsjnpQ5WfoMt8ho48LA/By9GXDkyGe
https://vuldb.com/cve/CVE-2026-10287
https://vuldb.com/submit/825641
https://vuldb.com/vuln/367580
https://vuldb.com/vuln/367580/cti
https://www.sourcecodester.com/

History

Mon, 01 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in SourceCodester SEO Meta Tag Extractor 1.0. This vulnerability affects the function get_headers of the file /index.php. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
Title		SourceCodester SEO Meta Tag Extractor index.php get_headers server-side request forgery
First Time appeared		Sourcecodester Sourcecodester seo Meta Tag Extractor
Weaknesses		CWE-918
CPEs		cpe:2.3:a:sourcecodester:seo_meta_tag_extractor::::::::
Vendors & Products		Sourcecodester Sourcecodester seo Meta Tag Extractor
References		https://hackmd.io/@Kq4PsjnpQ5WfoMt8ho48LA/By9GXDkyGe https://vuldb.com/cve/CVE-2026-10287 https://vuldb.com/submit/825641 https://vuldb.com/vuln/367580 https://vuldb.com/vuln/367580/cti https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sourcecodester Seo Meta Tag Extractor

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-01T19:45:10.207Z

Updated: 2026-06-02T15:46:21.270Z

Reserved: 2026-05-31T16:34:04.519Z

Link: CVE-2026-10287

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-06-01T21:16:25.640

Modified: 2026-06-02T13:03:31.153

Link: CVE-2026-10287

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-01T21:30:26Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object