CVE-2026-3163
Published: 25 February 2026
Summary
CVE-2026-3163 is a medium-severity SSRF (CWE-918) vulnerability in Remyandrade Website Link Extractor. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-3163 is a server-side request forgery (SSRF) vulnerability, associated with CWE-918, affecting SourceCodester Website Link Extractor version 1.0. The flaw exists in the file_get_contents function of the URL Handler component, where manipulation enables SSRF. Published on 2026-02-25, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Remote attackers with low privileges can exploit this vulnerability over the network with low complexity and no user interaction. Exploitation triggers the server to make unintended requests, potentially allowing access to internal resources, with limited impacts on confidentiality, integrity, and availability.
Advisories on VulDB (ctiid.347670, id.347670, submit.758932) and a Medium post document the issue and public exploit disclosure. The vendor site at sourcecodester.com is referenced, but specific patch or mitigation details are not outlined in the available descriptions.
The exploit has been disclosed publicly and may be used, heightening the risk of real-world attacks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8513
Vulnerability details
A vulnerability has been found in SourceCodester Website Link Extractor 1.0. This vulnerability affects the function file_get_contents of the component URL Handler. The manipulation leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has…
more
been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing web app (file_get_contents URL handler) directly enables remote exploitation of the application to force unintended outbound requests to internal resources.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the malicious URL supplied to file_get_contents that triggers the SSRF in the URL Handler component.
Enforces information-flow rules that prevent the application server from initiating unauthorized outbound requests to internal resources.
Boundary-protection mechanisms can restrict the unintended network requests the server is tricked into making by the SSRF payload.