Stefanprodan

stefanprodan

2 CVEs • 1 product

Products (1)

Click to collapse

Toggle

Podinfo

podinfo

2 CVEs

CVEs (2)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-43644 1Stefanprodan 1Podinfo Jun 1, 2026 May 14, 2026 5.1 MEDIUM· v4 6.1 MEDIUM· v3 N/A· v2 podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Cont...Show more podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin HTML pages with auto-submitting forms containing script payloads in the request body, which are served as text/html due to Go's content type detection, allowing the reflected script to execute in the podinfo origin context when victims visit the attacker's page.Show less
CVE-2025-70849 1Stefanprodan 1Podinfo Feb 11, 2026 Feb 3, 2026 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Conte...Show more Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Content-Security-Policy (CSP) or adequate Content-Type validation, leading to Stored Cross-Site Scripting (XSS).Show less

CVE

VENDORS

PRODUCTS

UPDATED

PUBLISHED

CVSS

CVE-2026-43644

1Stefanprodan

1Podinfo

Jun 1, 2026

May 14, 2026

5.1 MEDIUM· v4

6.1 MEDIUM· v3

N/A· v2

podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin HTML pages with auto-submitting forms containing script payloads in the request body, which are served as text/html due to Go's content type detection, allowing the reflected script to execute in the podinfo origin context when victims visit the attacker's page.Show less

CVE-2025-70849

1Stefanprodan

1Podinfo

Feb 11, 2026

Feb 3, 2026

N/A· v4

6.1 MEDIUM· v3

N/A· v2

Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Content-Security-Policy (CSP) or adequate Content-Type validation, leading to Stored Cross-Site Scripting (XSS).Show less