38 matches found
CVE-2026-43644
podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin...
Exploit for Unrestricted Upload of File with Dangerous Type in Stefanprodan Podinfo
CVE-2025-70849: Stored XSS in Podinfo Summary A security v...
GHSA-Q23M-VM9R-5745 podinfo: cross-site scripting vulnerability in the /echo and /api/echo endpoints
podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin...
podinfo: cross-site scripting vulnerability in the /echo and /api/echo endpoints
podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin...
CVE-2026-43644
podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin...
CVE-2026-43644
CVE-2026-43644 affects podinfo up to version 6.11.2. The vulnerability is a reflected XSS in the /echo and /api/echo endpoints, caused by the echoHandler writing the request body to the response without setting explicit Content-Type or X-Content-Type-Options headers. Go’s content-type detection m...
CVE-2026-43644 podinfo 6.11.2 Reflected XSS via /echo Endpoint
podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin...
CVE-2026-43644
podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin...
CVE-2026-43644 podinfo 6.11.2 Reflected XSS via /echo Endpoint
podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin...
EUVD-2026-30275
podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin...
PT-2026-40911
Name of the Vulnerable Software and Affected Versions podinfo versions prior to 6.11.3 Description A reflected cross-site scripting issue exists in the '/echo' and '/api/echo' endpoints. The echoHandler function writes request body content directly to the response without setting explicit...
podinfo 跨站脚本漏洞
Podinfo is a Kubernetes microservice template developed by Stefan Prodan. Versions of Podinfo 6.11.2 and earlier contained a cross-site scripting vulnerability. This vulnerability stemmed from the fact that the echoHandler did not set a clear Content-Type or X-Content-Type-Options header on the...
Security-Advisories
Security Advisories Public security advisories and proof-of-c...
CVE-2026-33810 vulnerabilities
Vulnerabilities for packages: newrelic-k8s-metadata-injection, sealed-secrets-fips, oras-fips, flux-operator-fips, kube-logging-logging-operator, clickhouse-operator, karma-fips, victorialogs-fips, go, nginx-kubernetes-ingress-fips, nodetaint, envoy-ratelimit, aws-eks-pod-identity-agent-fips,...
GHSA-FV83-X2XW-2J55 vulnerabilities
Vulnerabilities for packages: newrelic-k8s-metadata-injection, sealed-secrets-fips, oras-fips, flux-operator-fips, kube-logging-logging-operator, clickhouse-operator, karma-fips, victorialogs-fips, go, nginx-kubernetes-ingress-fips, nodetaint, envoy-ratelimit, aws-eks-pod-identity-agent-fips,...
CVE-2026-32283 vulnerabilities
Vulnerabilities for packages: kyverno-policy-reporter-ui, quic-go-fips, xeol, harbor-cli, azure-service-operator, argo-rollouts, k3d, maru, nri-f5, rancher-system-upgrade-controller, pushprox-fips, kpt, cert-manager-cmctl, kubescape-http-request-fips, dask-gateway, kubevirt-cdi-controller-fips,...
GHSA-5W89-2C2X-6X66 vulnerabilities
Vulnerabilities for packages: xeol, argo-rollouts, ini-file-fips, pushprox-fips, kpt, terraform-provider-random-fips, tetragon-fips, gke-gcloud-auth-plugin, mountpoint-s3-csi-driver, mattmoor-chainit, kubevirt-cdi-uploadproxy-fips, knative-eventing-fips, cluster-api-fips, local-path-provisioner,...
SUSE CVE-2025-70849
Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Content-Security-Policy CSP or adequate Content-Type validation, leading to Stored...
GO-2026-4404 Podinfo affected by Arbitrary File Upload that leads to Stored Cross-Site Scripting (XSS) in github.com/stefanprodan/podinfo
Podinfo affected by Arbitrary File Upload that leads to Stored Cross-Site Scripting XSS in github.com/stefanprodan/podinfo...
CVE-2025-70849
Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Content-Security-Policy CSP or adequate Content-Type validation, leading to Stored...