Description
podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin HTML pages with auto-submitting forms containing script payloads in the request body, which are served as text/html due to Go's content type detection, allowing the reflected script to execute in the podinfo origin context when victims visit the attacker's page.
Published: 2026-05-14
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw in podinfo version 6.11.2’s /echo and /api/echo endpoints. The echo handler returns the request body directly to the browser without setting a Content‑Type or X‑Content‑Type‑Options header, causing Go to infer the payload as text/html. Attackers can embed malicious script in a cross‑origin form that auto‑submits to the podinfo endpoints, which then reflects the script in the response served as HTML. The reflected script executes in the podinfo origin context when a victim visits the attacker’s page. Inferred, this could allow an attacker to hijack sessions, steal credentials, or modify client‑side data within the podinfo origin.

Affected Systems

Podinfo, a lightweight demo application maintained by stefanprodan on GitHub, is affected by this flaw in version 6.11.2 and earlier releases. The CVE specifically references the 6.11.2 release, so any deployment of that version is vulnerable unless patched or upgraded.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a remote, web‑based attack in which a victim visits an attacker‑controlled HTML page that auto‑submits a crafted form to podinfo. Privilege escalation is not required; the attack relies solely on the execution of client‑side code in the podinfo origin context. The risk is moderate, and the vulnerability can be mitigated by patching or applying the recommended controls.

Generated by OpenCVE AI on May 14, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade podinfo to version 6.11.3 or later, which includes the fix.
  • Configure the /echo and /api/echo handlers to set an explicit Content‑Type header (e.g., text/html; charset=UTF‑8) and the X‑Content‑Type‑Options header to "no‑sniff".
  • Restrict access to the /echo and /api/echo endpoints, or place them behind a firewall, reverse‑proxy, or API gateway to limit exposure to trusted clients.
  • If a temporary workaround is required, add strict Content Security Policy headers that disallow scripts from external sources and enforce script execution only from trusted locations.

Generated by OpenCVE AI on May 14, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q23m-vm9r-5745 podinfo: cross-site scripting vulnerability in the /echo and /api/echo endpoints
History

Mon, 01 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:stefanprodan:podinfo:*:*:*:*:*:kubernetes:*:*

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Stefanprodan
Stefanprodan podinfo
Vendors & Products Stefanprodan
Stefanprodan podinfo

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin HTML pages with auto-submitting forms containing script payloads in the request body, which are served as text/html due to Go's content type detection, allowing the reflected script to execute in the podinfo origin context when victims visit the attacker's page.
Title podinfo 6.11.2 Reflected XSS via /echo Endpoint
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Stefanprodan Podinfo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T14:38:51.886Z

Reserved: 2026-05-01T18:22:45.643Z

Link: CVE-2026-43644

cve-icon Vulnrichment

Updated: 2026-05-14T13:46:21.591Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T13:16:18.770

Modified: 2026-06-01T13:48:57.850

Link: CVE-2026-43644

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T15:15:23Z

Weaknesses