CVE-2026-10287: SSRF in SourceCodester SEO Meta Tag Extractor 1.0
A server-side request forgery (SSRF) vulnerability exists in SourceCodester SEO Meta Tag Extractor version 1.0. An attacker can manipulate the URL parameter passed to the get_headers function in /index.php to make the vulnerable server perform requests on their behalf—potentially accessing internal services, exfiltrating data, or launching attacks against other systems on the network. No authentication is required, and the flaw can be exploited remotely over the network. Public exploit code is already available.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-918
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability was determined in SourceCodester SEO Meta Tag Extractor 1.0. This vulnerability affects the function get_headers of the file /index.php. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10287 is a CWE-918 server-side request forgery vulnerability in SourceCodester SEO Meta Tag Extractor 1.0. The get_headers function in /index.php fails to properly validate the url parameter, allowing an unauthenticated attacker to inject arbitrary URLs. This causes the server to issue HTTP requests to attacker-specified destinations, bypassing network segmentation and access controls. The vulnerability has a CVSS v3.1 score of 7.3 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating low attack complexity, no privileges required, and impacts on confidentiality, integrity, and availability.
Business impact
An SSRF vulnerability in a publicly exposed web application poses significant operational risk. Attackers can probe and access internal services (databases, admin panels, cloud metadata endpoints), intercept sensitive data, or manipulate internal systems. If the affected instance can reach critical infrastructure or cloud environments, the blast radius extends to those assets. Organizations relying on this tool for SEO metadata extraction may face data breaches, lateral movement into their infrastructure, or denial of service. The public disclosure and availability of exploit code accelerates real-world attack timelines.
Affected systems
SourceCodester SEO Meta Tag Extractor version 1.0 is vulnerable. Organizations running this application should immediately inventory affected deployments. The vulnerability requires network access to the /index.php endpoint; exposure depends on whether the application is internet-facing, on an internal network, or air-gapped. Verify your version against the application vendor's release information.
Exploitability
This vulnerability is highly exploitable. No authentication, special privileges, or user interaction is required. Attack complexity is low—an attacker simply crafts a malicious URL parameter and sends it to the get_headers function. Proof-of-concept code has been publicly disclosed, lowering the barrier to exploitation. The threat is immediate and actionable by any networked attacker.
Remediation
Upgrade SourceCodester SEO Meta Tag Extractor to a patched version beyond 1.0 as soon as the vendor releases one. Pending a patch, implement network-level controls: restrict outbound traffic from the server to only legitimate destinations, use a Web Application Firewall (WAF) to block suspicious URL parameters, and disable or remove the application from production if it is not critical. If the tool is only used internally, restrict network access to trusted subnets.
Patch guidance
Contact SourceCodester or check their official repository for patched versions. Verify the patch version against the vendor's security advisory before deployment. Apply patches in a test environment first to ensure compatibility with your SEO workflow. If no patch is available at the time of assessment, prioritize mitigation controls until one is released.
Detection guidance
Monitor HTTP request logs for the /index.php endpoint, particularly requests with suspicious url parameters pointing to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost, or cloud metadata services (169.254.169.254). Look for unusual outbound connections from the application server to unexpected destinations. Deploy WAF rules to detect and block common SSRF payloads. Correlate application logs with network traffic to identify exploitation attempts.
Why prioritize this
Despite not being on the CISA KEV list, this vulnerability merits immediate prioritization because: (1) public exploits reduce time-to-compromise to hours or minutes, (2) SSRF flaws enable lateral movement and data exfiltration, (3) no authentication is required, (4) the attack surface is network-accessible by design. Any internet-facing instance should be treated as critical. Even internal deployments pose risk if the server can reach sensitive systems.
Risk score, explained
The CVSS 7.3 (HIGH) score reflects the network-exploitable nature, absence of access controls, and multi-faceted impact on confidentiality, integrity, and availability. The score appropriately weights the ease of exploitation and the attacker's ability to weaponize the flaw for reconnaissance and lateral movement. The public availability of exploit code is not factored into CVSS but substantially elevates practical risk in your environment.
Frequently asked questions
What is server-side request forgery and why is it dangerous?
SSRF allows an attacker to manipulate a vulnerable server into making HTTP requests on their behalf. This bypasses network boundaries and can leak sensitive data from internal services, cloud metadata endpoints, or database servers that are only accessible from within the network. In cloud environments, attackers often target 169.254.169.254 to steal credentials and API tokens.
If our instance is behind a firewall and not directly internet-facing, are we safe?
Not entirely. If the server can initiate outbound connections to internal services or cloud metadata endpoints, an attacker with network access (insider, compromised third-party, lateral movement from another breach) can still exploit the SSRF to reach those services. Additionally, if any development, testing, or staging instance is internet-facing, it could be used as a pivot point.
How long will it take for a patch to be available?
That depends on the vendor's response time. Since public exploits are available, responsible vendors typically prioritize a patch. Monitor the vendor's GitHub repository, security advisories, and changelog. If you do not see a patch within days or weeks, escalate your communication with the vendor and accelerate migration to an alternative SEO metadata tool.
Can we use a Web Application Firewall to fully mitigate this?
A WAF can reduce exposure by blocking malicious URL parameters and suspicious outbound destinations, but it is not a complete substitute for patching. WAF rules may be bypassed with encoding or obfuscation, and the underlying vulnerability remains. Use WAF as a temporary control while awaiting a patch, but plan to upgrade the application as your primary defense.
This analysis is provided for informational purposes and reflects information available as of the publish and modification dates shown. Security vulnerabilities evolve as patches are released and threat actors develop new techniques. Always verify patch availability and compatibility against the official vendor advisory before deploying updates. No exploit code, weaponization instructions, or proof-of-concept payloads are provided herein. Organizations are responsible for assessing their own exposure and implementing controls appropriate to their risk tolerance and operational environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10068HIGHSSRF in Shibby Tomato 1.28 miniupnpd (Unmaintained)
- CVE-2026-10107HIGHMoviePilot v2 SSRF in Image Proxy Allows Internal Network Access
- CVE-2026-10280HIGHServer-Side Request Forgery in Horizon921 mcpilot 0.1.0
- CVE-2026-10771HIGHCRMEB Java SSRF Vulnerability in QR Code Endpoint
- CVE-2026-42398HIGHKibana Webhook SSRF Vulnerability—Egress Allowlist Bypass
- CVE-2026-42965HIGHOpenShift Router SSRF via FQDN EndpointSlice
- CVE-2026-44285HIGHFastGPT SSRF Vulnerability in Dataset Preview Endpoint
- CVE-2026-10052MEDIUMQuay SSRF in LDAP/SMTP Validation—Internal Network Reconnaissance Risk