{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5126", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-30T08:01:41.082Z", "datePublished": "2026-03-30T18:00:14.871Z", "dateUpdated": "2026-03-30T20:16:49.688Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-30T18:00:14.871Z"}, "title": "SourceCodester RSS Feed Parser file_get_contents server-side request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "Server-Side Request Forgery"}]}], "affected": [{"vendor": "SourceCodester", "product": "RSS Feed Parser", "versions": [{"version": "1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in SourceCodester RSS Feed Parser 1.0. Affected by this issue is the function file_get_contents. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-30T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-30T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-30T10:06:52.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Hemant Raj Bhati (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/354158", "name": "VDB-354158 | SourceCodester RSS Feed Parser file_get_contents server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354158/cti", "name": "VDB-354158 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780180", "name": "Submit #780180 | SourceCodester RSS Feed Parser Using PHP and JavaScript N/A Server-Side Request Forgery", "tags": ["third-party-advisory"]}, {"url": "https://medium.com/@hemantrajbhati5555/discovering-a-blind-ssrf-vulnerability-in-a-php-rss-feed-parser-243f3ccbdafb", "tags": ["broken-link", "exploit"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T20:16:41.055515Z", "id": "CVE-2026-5126", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T20:16:49.688Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5126", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T20:16:41.055515Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T20:16:46.083Z"}}], "cna": {"tags": ["x_freeware"], "title": "SourceCodester RSS Feed Parser file_get_contents server-side request forgery", "credits": [{"lang": "en", "type": "reporter", "value": "Hemant Raj Bhati (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "SourceCodester", "product": "RSS Feed Parser", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-03-30T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-30T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-30T10:06:52.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/354158", "name": "VDB-354158 | SourceCodester RSS Feed Parser file_get_contents server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354158/cti", "name": "VDB-354158 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780180", "name": "Submit #780180 | SourceCodester RSS Feed Parser Using PHP and JavaScript N/A Server-Side Request Forgery", "tags": ["third-party-advisory"]}, {"url": "https://medium.com/@hemantrajbhati5555/discovering-a-blind-ssrf-vulnerability-in-a-php-rss-feed-parser-243f3ccbdafb", "tags": ["broken-link", "exploit"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in SourceCodester RSS Feed Parser 1.0. Affected by this issue is the function file_get_contents. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-30T18:00:14.871Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5126", "state": "PUBLISHED", "dateUpdated": "2026-03-30T20:16:49.688Z", "dateReserved": "2026-03-30T08:01:41.082Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-30T18:00:14.871Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in SourceCodester RSS Feed Parser 1.0. Affected by this issue is the function file_get_contents. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en SourceCodester RSS Feed Parser 1.0. Este problema afecta a la funci\u00f3n file_get_contents. Esta manipulaci\u00f3n provoca falsificaci\u00f3n de petici\u00f3n del lado del servidor. El ataque puede llevarse a cabo remotamente. El exploit ha sido publicado y puede utilizarse."}], "id": "CVE-2026-5126", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-30T18:16:20.537", "references": [{"source": "cna@vuldb.com", "url": "https://medium.com/@hemantrajbhati5555/discovering-a-blind-ssrf-vulnerability-in-a-php-rss-feed-parser-243f3ccbdafb"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/780180"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354158"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354158/cti"}, {"source": "cna@vuldb.com", "url": "https://www.sourcecodester.com/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "RSS Feed Parser", "source": "cna", "vendor": "SourceCodester"}, "product": "rss_feed_parser", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-03-30T19:21:37.716326+00:00", "value": {"mitigation_remediation": ["Check the SourceCodester website for any updates or patches to RSS Feed Parser 1.0 and apply them promptly.", "If a patch is not available, restrict outbound network traffic from the server to known legitimate endpoints to prevent arbitrary requests.", "Consider implementing network segmentation or firewall rules to block the server from accessing internal services that could be abused by SSRF.", "Validate or sanitize any URLs passed to file_get_contents to ensure they do not point to internal or privileged resources.", "Monitor logs for unusual outbound request activity that might indicate exploitation attempts."], "summary": {"action": "Patch", "impact": "Server-side request forgery"}, "threat_synthesis": {"affected_systems": "Affected specifically is the SourceCodester RSS Feed Parser product, version 1.0. No other versions or components were listed in the CNA data.", "description_and_impact": "The vulnerability is a server-side request forgery in SourceCodester RSS Feed Parser 1.0, affecting the file_get_contents function. By supplying a crafted URL, an attacker can cause the application to make arbitrary HTTP requests on the server's behalf, potentially reaching internal services or disclosing sensitive data. The flaw is classified under CWE\u2011918 and allows remote exploitation without authentication.", "risk_and_exploitability": "The CVSS base score is 5.3 indicating moderate severity. The exploit is already publicly available and can be launched remotely, though the EPSS score is not provided and the vulnerability is not present in the CISA KEV catalog. As the server side request forgery can be triggered via the file_get_contents function, an attacker who can interact with the application may abuse it to reach privileged internal endpoints, potentially leading to data exposure or further lateral movement."}}}}, "created": "2026-03-30T20:55:17.721484+00:00", "updated": "2026-03-31T20:40:30.565988+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$rss_feed_parser"]}