Description
A flaw has been found in SourceCodester RSS Feed Parser 1.0. Affected by this issue is the function file_get_contents. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used.
Published: 2026-03-30
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Server-side request forgery
Action: Patch
AI Analysis

Impact

The vulnerability is a server-side request forgery in SourceCodester RSS Feed Parser 1.0, affecting the file_get_contents function. By supplying a crafted URL, an attacker can cause the application to make arbitrary HTTP requests on the server's behalf, potentially reaching internal services or disclosing sensitive data. The flaw is classified under CWE‑918 and allows remote exploitation without authentication.

Affected Systems

Affected specifically is the SourceCodester RSS Feed Parser product, version 1.0. No other versions or components were listed in the CNA data.

Risk and Exploitability

The CVSS base score is 5.3 indicating moderate severity. The exploit is already publicly available and can be launched remotely, though the EPSS score is not provided and the vulnerability is not present in the CISA KEV catalog. As the server side request forgery can be triggered via the file_get_contents function, an attacker who can interact with the application may abuse it to reach privileged internal endpoints, potentially leading to data exposure or further lateral movement.

Generated by OpenCVE AI on March 30, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the SourceCodester website for any updates or patches to RSS Feed Parser 1.0 and apply them promptly.
  • If a patch is not available, restrict outbound network traffic from the server to known legitimate endpoints to prevent arbitrary requests.
  • Consider implementing network segmentation or firewall rules to block the server from accessing internal services that could be abused by SSRF.
  • Validate or sanitize any URLs passed to file_get_contents to ensure they do not point to internal or privileged resources.
  • Monitor logs for unusual outbound request activity that might indicate exploitation attempts.

Generated by OpenCVE AI on March 30, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in SourceCodester RSS Feed Parser 1.0. Affected by this issue is the function file_get_contents. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used.
Title SourceCodester RSS Feed Parser file_get_contents server-side request forgery
Weaknesses CWE-918
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-30T20:16:49.688Z

Reserved: 2026-03-30T08:01:41.082Z

Link: CVE-2026-5126

cve-icon Vulnrichment

Updated: 2026-03-30T20:16:46.083Z

cve-icon NVD

Status : Received

Published: 2026-03-30T18:16:20.537

Modified: 2026-03-30T18:16:20.537

Link: CVE-2026-5126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:55:17Z

Weaknesses