PT-2026-40911 · Podinfo · Podinfo

·

CVE-2026-43644

·

Published

2026-05-14

·

Updated

2026-06-25

CVSS v3.1

6.1

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions podinfo versions prior to 6.11.3
Description A reflected cross-site scripting issue exists in the '/echo' and '/api/echo' endpoints. The echoHandler function writes request body content directly to the response without setting explicit 'Content-Type' or 'X-Content-Type-Options' headers. This allows attackers to use cross-origin HTML pages with auto-submitting forms containing script payloads in the request body. Because of Go's content type detection, these responses are served as 'text/html', enabling the script to execute within the podinfo origin context when a victim visits the malicious page.
Recommendations Update to a version later than 6.11.2. As a temporary workaround, restrict access to the '/echo' and '/api/echo' endpoints to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-43644
GHSA-Q23M-VM9R-5745
GO-2026-5560

Affected Products

Podinfo