CVE-2026-40179 — Cross-site Scripting in Prometheus

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 97.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Prometheus Github.com Prometheus Prometheus

Timeline

PublishedApr 15

Latest updateApr 16

Description

Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without escaping. In both the Mantine UI and old React UI, chart tooltips on the Graph page render metric names containing HTML/JavaScript without sanitization. In the old React UI, the Metric Explorer fuzzy search…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages2 packages

▶CVEListV5prometheus/prometheus< 0.311.2-0.20260410083055-07c6232d159b+2

▶Gogithub.com/prometheus_prometheus3.0.0 — 3.5.1+2

🔴Vulnerability Details

VulDB

Prometheus up to 3.5.1/3.11.1 label_replace label cross site scripting (GHSA-vffh-x6r8-xx99)↗2026-04-16

▶

CVEList

Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer↗2026-04-15

▶

GHSA

Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer↗2026-04-13

▶