{"id":"CVE-2026-43644","summary":"podinfo 6.11.2 Reflected XSS via /echo Endpoint","details":"podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin HTML pages with auto-submitting forms containing script payloads in the request body, which are served as text/html due to Go's content type detection, allowing the reflected script to execute in the podinfo origin context when victims visit the attacker's page.","aliases":["GHSA-q23m-vm9r-5745","GO-2026-5560"],"modified":"2026-07-08T08:13:27.712772098Z","published":"2026-05-14T12:37:40.408Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43644.json","cna_assigner":"VulnCheck","cwe_ids":["CWE-79"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43644.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43644"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/podinfo-reflected-xss-via-echo-endpoint"},{"type":"REPORT","url":"https://github.com/stefanprodan/podinfo/issues/474"},{"type":"PACKAGE","url":"https://github.com/stefanprodan/podinfo"},{"type":"EVIDENCE","url":"https://github.com/Niccolo10/Security-Advisories/blob/main/CVE-2026-43644/cve-2026-43644.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/stefanprodan/podinfo","events":[{"introduced":"0"},{"fixed":"b501abd1f0f2acf49c39f2d9cd47b460578d87f0"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"6.11.2"},{"fixed":"6.11.2"}],"source":["AFFECTED_FIELD","DESCRIPTION"]}}],"versions":["6.11.1","6.11.0","6.10.2","6.10.1","6.10.0","6.9.4","6.9.3","6.9.2","6.9.1","6.9.0","6.8.0","6.7.1","6.7.0","6.6.3","6.6.2","6.6.1","6.6.0","6.5.4","6.5.3","6.5.2","6.5.1","6.5.0","6.4.1","6.4.0","6.3.6","6.3.5","6.3.4","6.3.3","6.3.2","6.3.1","6.3.0","6.2.3","6.2.2","6.2.1","6.2.0","6.1.8","6.1.7","6.1.6","6.1.5","6.1.4","6.1.3","6.1.2","6.1.1","6.1.0","6.0.4","6.0.3","6.0.2","6.0.1","6.0.0","5.2.1","5.2.0","5.1.4","5.1.3","5.1.2","5.1.1","5.1.0","5.0.3","5.0.2","5.0.1","5.0.0","4.0.6","4.0.5","4.0.4","4.0.3","4.0.2","4.0.1","4.0.0","3.3.1","3.3.0","3.2.4","3.2.3","3.2.2","3.2.1","3.2.0","3.1.5","3.1.4","3.1.3","3.1.2","3.1.1","3.1.0","3.0.0","2.1.3","2.1.2","2.1.1","2.1.0","2.0.2","2.0.1","2.0.0","v1.8.0","v1.7.0","v1.6.0","v1.4.2","v1.4.1","v1.4.0","v1.3.1","v1.3.0","v1.2.1","v1.2.0","v1.1.1","v1.1.0","v1.0.0","v0.5.0","v0.4.0","0.2.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43644.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}]}