Github.Com Prometheus Prometheus vulnerabilities
3 known vulnerabilities affecting github.com/prometheus_prometheus.
Total CVEs
3
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2026-40179MEDIUM≥ 3.0.0, ≤ 3.5.1≥ 3.6.0, ≤ 3.11.1+1 more2026-04-13
CVE-2026-40179 [MEDIUM] CWE-79 Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer
Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer
### Impact
Stored cross-site scripting (XSS) via crafted metric names in the Prometheus web UI:
* **Old React UI + New Mantine UI:** When a user hovers over a chart tooltip on the Graph page, metric names containing HTML/JavaScript are injected
ghsa
CVE-2019-3826MEDIUM≥ 0, < 2.7.12023-12-13
CVE-2019-3826 [MEDIUM] CWE-79 Withdrawn Advisory: Prometheus XSS Vulnerability
Withdrawn Advisory: Prometheus XSS Vulnerability
## Withdrawn Advisory
This advisory has been withdrawn because the vulnerability does not apply to the Prometheus golang package. This link is maintained to preserve external references.
## Original Description
A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticate
ghsaosv
CVE-2021-29622MEDIUMPoC≥ 2.23.0, < 2.26.1≥ 2.27.0, < 2.27.12022-02-15
CVE-2021-29622 [MEDIUM] Arbitrary redirects under /new endpoint
Arbitrary redirects under /new endpoint
### Impact
In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /.
Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint.
If a user visits a prometheus server with a specially crafted address (e.g.: `http://127.0.0.1:9090/new/new`), they
osv