CVE-2026-40179
published 2026-04-15CVE-2026-40179: Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting…
PriorityP430medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.24%
15.0th percentile
Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without escaping. In both the Mantine UI and old React UI, chart tooltips on the Graph page render metric names containing HTML/JavaScript without sanitization. In the old React UI, the Metric Explorer fuzzy search results use dangerouslySetInnerHTML without escaping, and heatmap cell tooltips interpolate le label values without sanitization. With Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like , and " are now valid in metric names and labels. An attacker who can inject metrics via a compromised scrape target, remote write, or OTLP receiver endpoint can execute arbitrary JavaScript in the browser of any Prometheus user who views the metric in the Graph UI, potentially enabling configuration exfiltration, data deletion, or Prometheus shutdown depending on enabled flags. This issue has been fixed in versions 3.5.2 and 3.11.2. If developers are unable to immediately update, the following workarounds are recommended: ensure that the remote write receiver (--web.enable-remote-write-receiver) and the OTLP receiver (--web.enable-otlp-receiver) are not exposed to untrusted sources; verify that all scrape targets are trusted and not under attacker control; avoid enabling admin or mutating API endpoints (e.g., --web.enable-admin-api or --web.enable-lifecycle) in environments where untrusted data may be ingested; and refrain from clicking untrusted links, particularly those containing functions such as label_replace, as they may generate poisoned label names and values.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | prometheus_prometheus | >= 0 < 0.311.2-0.20260410083055-07c6232d159b | 0.311.2-0.20260410083055-07c6232d159b |
| github.com | prometheus_prometheus | >= 0 < 0.311.3 | 0.311.3 |
| github.com | prometheus_prometheus | 3.0.0 – 3.5.1 | — |
| github.com | prometheus_prometheus | 3.6.0 – 3.11.1 | — |
| prometheus | prometheus | < 0.311.2-0.20260410083055-07c6232d159b | 0.311.2-0.20260410083055-07c6232d159b |
| prometheus | prometheus | — | — |
| prometheus | prometheus | — | — |
| prometheus | prometheus | >= 3.0.0 < 3.5.2 | 3.5.2 |
| prometheus | prometheus | >= 3.6.0 < 3.11.2 | 3.11.2 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display
ghsa·2026-05-05
CVE-2019-10215 [MEDIUM] CWE-79 Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display
Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display
### Impact
In the Prometheus server's legacy web UI (enabled via the command-line flag `--enable-feature=old-ui`), the histogram heatmap chart view does not escape `le` label values when inserting them into the HTML for use as axis tick mark labels.
An attacker who can inject crafted metrics (e.g. via a compromised scrape target, remote write, or OTLP receiver endpoint) can execute JavaScript in the browser of any Prometheus user who views the metric in the heatmap chart UI. From the XSS context, an attacker could for example:
- Read `/api/v1/status/config` to extract sensitive configuration (although credentials / secrets are redacted by the server)
- Call `/-/quit` to shut
VulDB
Prometheus up to 3.5.1/3.11.1 label_replace label cross site scripting (GHSA-vffh-x6r8-xx99)
vuldb·2026-04-16·CVSS 5.3
CVE-2026-40179 [MEDIUM] Prometheus up to 3.5.1/3.11.1 label_replace label cross site scripting (GHSA-vffh-x6r8-xx99)
A vulnerability was found in Prometheus up to 3.5.1/3.11.1 and classified as problematic. This vulnerability affects the function label_replace. Executing a manipulation of the argument label can lead to cross site scripting.
The identification of this vulnerability is CVE-2026-40179. The attack may be launched remotely. There is no exploit available.
It is suggested to upgrade the affected component.
GHSA
Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer
ghsa·2026-04-13
CVE-2026-40179 [MEDIUM] CWE-79 Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer
Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer
### Impact
Stored cross-site scripting (XSS) via crafted metric names in the Prometheus web UI:
* **Old React UI + New Mantine UI:** When a user hovers over a chart tooltip on the Graph page, metric names containing HTML/JavaScript are injected into `innerHTML` without escaping, causing arbitrary script execution in the user's browser.
* **Old React UI only:** When a user opens the Metric Explorer (globe icon next to the PromQL expression input field), and a metric name containing HTML/JavaScript is rendered in the fuzzy search results, it is injected into `innerHTML` without escaping, causing arbitrary script execution in the user's browser.
* **Old React UI only:** When a use
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-15
Published