CVE-2025-70849

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

03/02/2026

Last modified:

03/02/2026

Description

Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Content-Security-Policy (CSP) or adequate Content-Type validation, leading to Stored Cross-Site Scripting (XSS).

Impact

References to Advisories, Solutions, and Tools

https://gist.github.com/kazisabu/27f3e272f474005001a9ecd2c258dbea