Github.Com Prometheus Prometheus vulnerabilities
6 known vulnerabilities affecting github.com/prometheus_prometheus.
Total CVEs
6
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM4
Vulnerabilities
Page 1 of 1
CVE-2021-29622P3MEDIUMPoC≥ 2.23.0, < 2.26.1≥ 2.27.0, < 2.27.12022-02-15
CVE-2021-29622 [MEDIUM] Arbitrary redirects under /new endpoint
Arbitrary redirects under /new endpoint
### Impact
In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /.
Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint.
If a user visits a prometheus server with a specially crafted address (e.g.: `http://127.0.0.1:9090/new/new`), they
osv
CVE-2026-42151P3HIGH≥ 0.45.2, < 0.311.32026-05-05
CVE-2026-42151 [HIGH] CWE-200 Prometheus Azure AD remote write OAuth client secret exposed via config API
Prometheus Azure AD remote write OAuth client secret exposed via config API
### Impact
Users who use Azure AD remote write with OAuth authentication are impacted.
The `client_secret` field in the Azure AD remote write OAuth configuration (`storage/remote/azuread`) was typed as `string` instead of `Secret`. Prometheus redacts fields of type `Secret` when serving the configuration via the `
ghsa
CVE-2026-42154P3HIGH≥ 0, < 0.311.32026-05-05
CVE-2026-42154 [HIGH] CWE-400 Prometheus: Remote read endpoint allows denial of service via crafted snappy payload
Prometheus: Remote read endpoint allows denial of service via crafted snappy payload
### Impact
The remote read endpoint (`/api/v1/read`) does not validate the declared decoded length in a snappy-compressed request body before allocating memory.
An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhau
ghsa
CVE-2019-3826P4MEDIUM≥ 0, < 2.7.12023-12-13
CVE-2019-3826 [MEDIUM] CWE-79 Withdrawn Advisory: Prometheus XSS Vulnerability
Withdrawn Advisory: Prometheus XSS Vulnerability
## Withdrawn Advisory
This advisory has been withdrawn because the vulnerability does not apply to the Prometheus golang package. This link is maintained to preserve external references.
## Original Description
A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticate
ghsaosv
CVE-2026-40179P4MEDIUM≥ 3.0.0, ≤ 3.5.1≥ 3.6.0, ≤ 3.11.1+1 more2026-04-13
CVE-2026-40179 [MEDIUM] CWE-79 Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer
Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer
### Impact
Stored cross-site scripting (XSS) via crafted metric names in the Prometheus web UI:
* **Old React UI + New Mantine UI:** When a user hovers over a chart tooltip on the Graph page, metric names containing HTML/JavaScript are injected
ghsa
CVE-2019-10215P4MEDIUM≥ 0, < 0.311.32026-05-05
CVE-2019-10215 [MEDIUM] CWE-79 Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display
Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display
### Impact
In the Prometheus server's legacy web UI (enabled via the command-line flag `--enable-feature=old-ui`), the histogram heatmap chart view does not escape `le` label values when inserting them into the HTML for use as axis tick mark l
ghsa