Prometheus vulnerabilities

CVE-2026-40179 [MEDIUM] CWE-79 CVE-2026-40179: Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without escaping. In both the Mantine UI and old React UI, chart to

CVE-2021-29622 [MEDIUM] CWE-601 CVE-2021-29622: Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus chang Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user vi

CVE-2019-3826 [MEDIUM] CWE-79 CVE-2019-3826: A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. A A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts.