CVE-2026-43644
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk9th percentile - higher than 9% of all known CVEs
Summary
Podinfo up to version 6.11.2 contains a reflected XSS vulnerability in the /echo and /api/echo endpoints. The echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers, allowing attackers to execute scripts in the podinfo origin context.
Risk Assessment
An attacker can trick a victim into visiting a malicious page that auto-submits a form with a script payload, leading to code execution in the podinfo context. This could result in session theft, data modification, or further attacks on users.
Recommendation
Immediately update podinfo to a version newer than 6.11.2. As a temporary workaround, configure Content-Type and X-Content-Type-Options headers on the server or reverse proxy.
Original NVD description (English source)
podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin HTML pages with auto-submitting forms containing script payloads in the request body, which are served as text/html due to Go's content type detection, allowing the reflected script to execute in the podinfo origin context when victims visit the attacker's page.

