SourceCodester SEO Meta Tag Extractor 1.0 - Server-Side Request Forgery (SSRF) - CVE-2026-10287

SourceCodester SEO Meta Tag Extractor 1.0 is susceptible to a server-side request forgery (SSRF) vulnerability identified as CVE-2026-10287. The flaw resides within the get_headers function of the /index.php file. An attacker can remotely trigger this vulnerability by manipulating the url argument, forcing the application to make HTTP requests to arbitrary destinations. This could be abused to scan internal networks, read sensitive information from internal services, or potentially proxy attacks to other systems. The vulnerability has been publicly disclosed, making it more likely to be exploited.

Attack Chain

1. Attacker identifies the vulnerable application, SourceCodester SEO Meta Tag Extractor 1.0, running online.
2. Attacker crafts a malicious URL containing the target internal or external address, embedding it within the url parameter of a request to /index.php.
3. The attacker sends a request to /index.php with the manipulated url parameter, targeting the get_headers function.
4. The application’s get_headers function processes the attacker-controlled URL without proper validation.
5. The application initiates an HTTP request to the attacker-specified internal or external server.
6. The application receives the HTTP response from the targeted server.
7. The application may then display or use the received information.
8. If successful, the attacker can leverage this SSRF vulnerability to potentially gain unauthorized access to internal resources or proxy requests.

Impact

Successful exploitation of this SSRF vulnerability (CVE-2026-10287) can lead to the disclosure of sensitive internal information, such as internal service configurations or data, by forcing the application to make requests to internal resources. It can also be leveraged to perform port scanning on the internal network or even to proxy attacks to other systems. The CVSS v3.1 score of 7.3 indicates a high severity vulnerability with potential for information disclosure and limited impact to integrity and availability.

Recommendation

• Apply available patches or updates provided by SourceCodester for SEO Meta Tag Extractor 1.0 to address CVE-2026-10287.
• Implement input validation and sanitization on the url parameter in the get_headers function within /index.php to prevent arbitrary URL usage, mitigating CVE-2026-10287.
• Deploy the Sigma rule Detect SSRF in SourceCodester SEO Meta Tag Extractor via URL Parameter to identify potential exploitation attempts in web server logs.
• Monitor web server logs for requests to /index.php containing suspicious URLs or internal IP addresses in the url parameter.
• Consider implementing network segmentation to limit the impact of a successful SSRF attack, restricting the application’s ability to access internal resources.