CVE-2026-43644

216.73.216.6

· Published 14/05/2026 13:16 · Modified 14/05/2026 18:15

Labels: CVE-2026-43644 2026-05-14 CVE-2026-43644 CWE-79 [email protected]

Essential information

Published: 14/05/2026 13:16
Modified: 14/05/2026 18:15
Author: —
Creator: —
CVSS: 5.1 MEDIUM (v3) 5.1 MEDIUM (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin HTML pages with auto-submitting forms containing script payloads in the request body, which are served as text/html due to Go's content type detection, allowing the reflected script to execute in the podinfo origin context when victims visit the attacker's page.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
podinfo / podinfo	`cpe:2.3:a:podinfo:podinfo:6.11.2:::::::*`