VYPR
Medium severity5.4NVD Advisory· Published May 14, 2026· Updated Jun 1, 2026

CVE-2026-43644

CVE-2026-43644

Description

podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin HTML pages with auto-submitting forms containing script payloads in the request body, which are served as text/html due to Go's content type detection, allowing the reflected script to execute in the podinfo origin context when victims visit the attacker's page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/stefanprodan/podinfoGo
< 1.8.1-0.20260519111337-cbebb20fd4851.8.1-0.20260519111337-cbebb20fd485

Affected products

3
  • Stefanprodan/Podinforeferences3 versions
    (expand)+ 2 more
    • (no CPE)
    • cpe:2.3:a:stefanprodan:podinfo:*:*:*:*:*:kubernetes:*:*range: <=6.11.12
    • (no CPE)range: <=6.11.2

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.