cbcvebase.

Prometheus vulnerabilities

6 known vulnerabilities affecting prometheus/prometheus.

Total CVEs
6
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM4

Vulnerabilities

Page 1 of 1
CVE-2021-29622P3MEDIUMCVSS 6.1PoC≥ 2.23.0, < 2.26.1v2.27.0+1 more2021-05-19
CVE-2021-29622 [MEDIUM] CWE-601 CVE-2021-29622: Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus chang Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user vi
nvd
CVE-2026-42151P3HIGHCVSS 7.5≥ 2.48.0, < 3.5.3≥ 3.6.0, < 3.11.3+2 more2026-05-04
CVE-2026-42151 [HIGH] CWE-200 CVE-2026-42151: Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint
nvd
CVE-2026-42154P3HIGHCVSS 7.5fixed in 3.5.3≥ 3.6.0, < 3.11.3+1 more2026-05-04
CVE-2026-42154 [HIGH] CWE-400 CVE-2026-42154: Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per requ
nvd
CVE-2019-3826P4MEDIUMCVSS 6.1fixed in 2.7.12019-03-26
CVE-2019-3826 [MEDIUM] CWE-79 CVE-2019-3826: A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. A A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts.
nvdosv
CVE-2026-40179P4MEDIUMCVSS 6.1≥ 3.0.0, < 3.5.2≥ 3.6.0, < 3.11.2+3 more2026-04-15
CVE-2026-40179 [MEDIUM] CWE-79 CVE-2026-40179: Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without escaping. In both the Mantine UI and old React UI, chart to
nvd
CVE-2026-44903P4MEDIUMCVSS 6.1≥ 2.49.0, < 3.5.3≥ 3.6.0, < 3.11.3+2 more2026-05-26
CVE-2026-44903 [MEDIUM] CWE-79 CVE-2026-44903: Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI (enabled via the command-line flag --enable-feature=old-ui), the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels. An a
nvd
Prometheus vulnerabilities | cvebase