SecBoard
Zurück zur CVE-Übersicht

CVE-2026-43644

MEDIUM(5.4)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Risk Signal Score14/100 — NIEDRIG
  • CVSS 5.4 — Mittel

EPSS-Score

0%

Exploit-Wahrscheinlichkeit (30 Tage)

CVSS Score

5.4

Technische Schwere

Beschreibung

podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin HTML pages with auto-submitting forms containing script payloads in the request body, which are served as text/html due to Go's content type detection, allowing the reflected script to execute in the podinfo origin context when victims visit the attacker's page.

GitHub Advisories

GHSA-q23m-vm9r-5745MEDIUM

podinfo: cross-site scripting vulnerability in the /echo and /api/echo endpoints

go/github.com/stefanprodan/podinfo1.8.1-0.20260519111337-cbebb20fd485
GitHub Advisory

Referenzen