Low severityOSV Advisory· Published Feb 3, 2026· Updated Feb 5, 2026
CVE-2025-70849
CVE-2025-70849
Description
Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Content-Security-Policy (CSP) or adequate Content-Type validation, leading to Stored Cross-Site Scripting (XSS).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/stefanprodan/podinfoGo | < 1.8.1-0.20260314125853-83deb7fcb742 | 1.8.1-0.20260314125853-83deb7fcb742 |
Affected products
3- Range: 0.2.2, 2.0.0, 2.0.1, …
- ghsa-coords2 versionspkg:golang/github.com/stefanprodan/podinfopkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 1.8.1-0.20260314125853-83deb7fcb742+ 1 more
- (no CPE)range: < 1.8.1-0.20260314125853-83deb7fcb742
- (no CPE)range: < 0.0.20260205T172317-150000.1.146.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-mw8w-q3f7-2v85ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-70849ghsaADVISORY
- gist.github.com/kazisabu/27f3e272f474005001a9ecd2c258dbeaghsaWEB
- github.com/stefanprodan/podinfo/commit/83deb7fcb7421f2d01eeb7475b18d72f16084aedghsaWEB
- github.com/stefanprodan/podinfo/pull/463ghsaWEB
- github.com/stefanprodan/podinfo/releases/tag/6.11.1ghsaWEB
News mentions
0No linked articles in our index yet.