Skip to main content

podinfo CVE-2026-43644

| EUVDEUVD-2026-30275 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-14 VulnCheck GHSA-q23m-vm9r-5745
5.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
CVSS changed
May 14, 2026 - 13:22 NVD
5.4 (MEDIUM) 5.1 (MEDIUM)
Analysis Generated
May 14, 2026 - 13:17 vuln.today
CVE Published
May 14, 2026 - 12:37 nvd
MEDIUM 5.4

DescriptionCVE.org

podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin HTML pages with auto-submitting forms containing script payloads in the request body, which are served as text/html due to Go's content type detection, allowing the reflected script to execute in the podinfo origin context when victims visit the attacker's page.

AnalysisAI

Reflected cross-site scripting in podinfo through 6.11.2 allows remote unauthenticated attackers to execute arbitrary JavaScript in the context of a victim's browser session by crafting HTML pages with auto-submitting forms that deliver script payloads to the /echo or /api/echo endpoints. The vulnerability exists because the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers, causing Go's content type detection to default to text/html. Publicly available exploit code confirms the vulnerability is exploitable, though CISA KEV status is not confirmed at the time of analysis.

Technical ContextAI

podinfo is a Go-based microservice demonstration application. The vulnerability stems from inadequate HTTP header handling in the echoHandler function, which processes POST requests to /echo and /api/echo endpoints. When a request body is echoed back in the response, the absence of explicit Content-Type headers (such as text/plain or application/json) and the missing X-Content-Type-Options: nosniff header causes Go's http.ResponseWriter to perform automatic content type detection based on the response body. If the body contains HTML-like content (e.g., script tags), Go defaults the response to text/html, enabling the browser to parse and execute embedded JavaScript. This is a classic reflected XSS (CWE-79) vulnerability where user-controlled input (the request body) is rendered in the response without sanitization or encoding. The attack vector leverages cross-origin form submission: an attacker hosts a malicious HTML page with a form that auto-submits to the podinfo instance, causing the victim's browser to send a POST request with a script payload in the body. The same-origin policy does not block the form submission itself, only the attacker's ability to read the response-however, the attacker does not need to read the response; the JavaScript executes within the podinfo origin when the victim's browser processes the response.

RemediationAI

Upgrade podinfo to version 6.11.3 or later, which implements explicit Content-Type headers (text/plain) and the X-Content-Type-Options: nosniff header in the echoHandler response. Apply this patch immediately to any podinfo installations exposed to untrusted networks. For users unable to patch immediately, implement a Web Application Firewall (WAF) rule to block requests to /echo and /api/echo endpoints from external sources, or restrict these endpoints to local/trusted networks only. Note that disabling the endpoints entirely via application configuration (if supported) is the most effective workaround but may impact legitimate monitoring or testing use cases. Validate patch application by confirming that responses from /echo endpoints include the X-Content-Type-Options header and Content-Type: text/plain in HTTP response headers. Patch details and release information are available at https://github.com/stefanprodan/podinfo and https://github.com/Niccolo10/Security-Advisories/blob/main/CVE-2026-43644/cve-2026-43644.md.

Share

CVE-2026-43644 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy