PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43644 Stefanprodan CVE debrief

A reflected cross-site scripting (XSS) vulnerability exists in Podinfo through version 6.11.2, specifically affecting the `/echo` and `/api/echo` endpoints. The `echoHandler` function writes request body content directly to the HTTP response without explicitly setting `Content-Type` or `X-Content-Type-Options` headers. Due to Go's automatic content type detection, attacker-supplied script payloads in request bodies can be served as `text/html`. An attacker can construct a cross-origin HTML page with an auto-submitting form containing a malicious payload; when a victim visits the attacker's page, the reflected script executes in the context of the Podinfo origin. This vulnerability was published on 2026-05-14 and last modified on 2026-06-01. The issue is tracked in the Podinfo GitHub repository, and third-party advisories with mitigation guidance are available.

Vendor
Stefanprodan
Product
Podinfo
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-06-01
Advisory published
2026-05-14
Advisory updated
2026-06-01

Who should care

Organizations running Podinfo instances (particularly in Kubernetes environments) through affected versions; security teams monitoring for reflected XSS in Go-based web applications; developers responsible for header security configurations in HTTP handlers.

Technical summary

The vulnerability stems from missing explicit response headers in Podinfo's echo handler. When request body content is reflected without `Content-Type` or `X-Content-Type-Options: nosniff`, Go's `http.DetectContentType` may classify attacker-controlled content as `text/html`. Combined with cross-origin form submission, this enables reflected XSS execution in the victim's browser under the Podinfo origin. The CVSS 4.0 score of 5.1 (MEDIUM) reflects required user interaction and limited scope impacts. No known exploitation in ransomware campaigns is documented.

Defensive priority

medium

Recommended defensive actions

  • Upgrade Podinfo to a version newer than 6.11.2/6.11.12 when available, or apply vendor-provided patches.
  • Implement explicit `Content-Type: text/plain` headers in the `echoHandler` response to prevent browser HTML interpretation.
  • Add `X-Content-Type-Options: nosniff` response headers to disable MIME type sniffing.
  • Validate and sanitize all request body content before reflection in HTTP responses.
  • Consider implementing Content Security Policy (CSP) headers to restrict script execution contexts.
  • Review and audit other endpoints that reflect user input for similar header omission issues.

Evidence notes

The vulnerability description is sourced from the official NVD record with trust class 'official_vulnerability_database'. CPE criteria confirm affected versions through 6.11.12 (note: description states 6.11.2; CPE indicates 6.11.12). CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, with low impacts to system confidentiality and integrity. CWE-79 (Improper Neutralization of Input During Web Page Generation) is identified as the primary weakness.

Official resources

public