What is the CVSS score of CVE-2025-70849?

CVE-2025-70849 has a CVSS 3.1 base score of 6.1 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Podinfo are affected by CVE-2025-70849?

Organizations using Arbitrary File Upload in podinfo thru 6.9.0 should be aware of moderate risk from CVE-2025-70849, a cross-site scripting vulnerability rated CVSS 6.1.. A patch is available.

Is there a public PoC exploit available for CVE-2025-70849?

Yes, a public proof-of-concept exploit is available for CVE-2025-70849. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-70849?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

Podinfo CVE-2025-70849

MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-02-03 cve@mitre.org

GHSA-mw8w-q3f7-2v85

XSS Podinfo Suse

6.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

6.1 MEDIUM

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

SUSE

MEDIUM

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 11, 2026 - 15:30 vuln.today

Public exploit code

CVE Published

Feb 03, 2026 - 18:16 nvd

MEDIUM 6.1

DescriptionCVE.org

Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Content-Security-Policy (CSP) or adequate Content-Type validation, leading to Stored Cross-Site Scripting (XSS).

AnalysisAI

Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. [CVSS 6.1 MEDIUM]

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Podinfo. Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Content-Security-Policy (CSP) or adequate Content-Type validation, leading to Stored Cross-Site Scripting (XSS).

RemediationAI

Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

Vendor StatusVendor

SUSE

Severity: Medium

Product	Status
openSUSE Leap 15.6	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6	Fixed
openSUSE Leap 15.5	Fixed

CVE-2025-70849 vulnerability details – vuln.today

Back

Podinfo CVE-2025-70849

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code