CVE-2026-43644 — Cross-Site Scripting (XSS)
CVE-2026-43644 — podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft
What This Means For You
- If your environment is affected by CWE-79, review your exposure and prioritize patching based on your environment. Monitor vendor advisories for CVE-2026-43644 updates and patches.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-43644 - Reflected XSS via /echo endpoint
title: CVE-2026-43644 - Reflected XSS via /echo endpoint
id: scw-2026-05-14-ai-1
status: experimental
level: medium
description: |
Detects attempts to exploit CVE-2026-43644 by sending requests to the /echo endpoint. This vulnerability allows reflected XSS because the application reflects request body content without proper content type handling, leading to script execution in the context of the podinfo origin. This rule specifically targets the vulnerable endpoint and method.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-43644/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
uri|contains:
- '/echo'
cs-method:
- 'POST'
sc-status:
- 200
# The exact payload will vary, but look for common XSS patterns reflected in the body
# This is a simplified example; a real-world rule might need more sophisticated payload analysis
# For this specific CVE, the vulnerability is in how the request body is handled and reflected.
# The absence of Content-Type and X-Content-Type-Options headers is key.
# Detecting the *reflection* of a script is the goal here, which is hard without body inspection.
# However, targeting the vulnerable endpoint with POST requests is a strong indicator.
# A more advanced rule could potentially look for specific HTML/JS patterns in response bodies if available.
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-43644 | vulnerability | CVE-2026-43644 |
| CWE-79 | weakness | CWE-79 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 14, 2026 at 16:16 UTC |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6637: PostgreSQL 'refint' Module Allows RCE, SQLi
CVE-2026-6637 — Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the...
CVE-2026-6575 — Buffer over-read in PostgreSQL function
CVE-2026-6575 — Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array....
PostgreSQL Denial-of-Service Vulnerability: CVE-2026-6479 Impacts Older Versions
CVE-2026-6479 — Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial...