CVE-2025-70849

Name of the Vulnerable Software and Affected Versions podinfo versions through 6.9.0

Description An arbitrary file upload issue exists in podinfo through version 6.9.0. Unauthenticated attackers can upload arbitrary files by sending a crafted POST request to the /store endpoint. The application does not implement a restrictive Content-Security-Policy (CSP) or perform adequate Content-Type validation when rendering uploaded content, which can lead to Stored Cross-Site Scripting (XSS). A Content-Security-Policy (CSP) is a security standard that helps prevent XSS attacks by controlling the resources the browser is allowed to load. Content-Type validation is the process of verifying that the type of data being uploaded matches the expected type.

Recommendations Update podinfo to a version newer than 6.9.0.