Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin HTML pages with auto-submitting forms containing script payloads in the request body, which are served as text/html due to Go's content type detection, allowing the reflected script to execute in the podinfo origin context when victims visit the attacker's page.
AnalysisAI
Reflected cross-site scripting in podinfo through 6.11.2 allows remote unauthenticated attackers to execute arbitrary JavaScript in the context of a victim's browser session by crafting HTML pages with auto-submitting forms that deliver script payloads to the /echo or /api/echo endpoints. The vulnerability exists because the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers, causing Go's content type detection to default to text/html. Publicly available exploit code confirms the vulnerability is exploitable, though CISA KEV status is not confirmed at the time of analysis.
Technical ContextAI
podinfo is a Go-based microservice demonstration application. The vulnerability stems from inadequate HTTP header handling in the echoHandler function, which processes POST requests to /echo and /api/echo endpoints. When a request body is echoed back in the response, the absence of explicit Content-Type headers (such as text/plain or application/json) and the missing X-Content-Type-Options: nosniff header causes Go's http.ResponseWriter to perform automatic content type detection based on the response body. If the body contains HTML-like content (e.g., script tags), Go defaults the response to text/html, enabling the browser to parse and execute embedded JavaScript. This is a classic reflected XSS (CWE-79) vulnerability where user-controlled input (the request body) is rendered in the response without sanitization or encoding. The attack vector leverages cross-origin form submission: an attacker hosts a malicious HTML page with a form that auto-submits to the podinfo instance, causing the victim's browser to send a POST request with a script payload in the body. The same-origin policy does not block the form submission itself, only the attacker's ability to read the response-however, the attacker does not need to read the response; the JavaScript executes within the podinfo origin when the victim's browser processes the response.
RemediationAI
Upgrade podinfo to version 6.11.3 or later, which implements explicit Content-Type headers (text/plain) and the X-Content-Type-Options: nosniff header in the echoHandler response. Apply this patch immediately to any podinfo installations exposed to untrusted networks. For users unable to patch immediately, implement a Web Application Firewall (WAF) rule to block requests to /echo and /api/echo endpoints from external sources, or restrict these endpoints to local/trusted networks only. Note that disabling the endpoints entirely via application configuration (if supported) is the most effective workaround but may impact legitimate monitoring or testing use cases. Validate patch application by confirming that responses from /echo endpoints include the X-Content-Type-Options header and Content-Type: text/plain in HTTP response headers. Patch details and release information are available at https://github.com/stefanprodan/podinfo and https://github.com/Niccolo10/Security-Advisories/blob/main/CVE-2026-43644/cve-2026-43644.md.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30275
GHSA-q23m-vm9r-5745