XSS in Prometheus

CVE-2026-40179

Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric name…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (1.9th percentile) — read the EPSS interpretation.

Affected products

Prometheus — versions >= 3.0.0, < 3.5.2, >= 3.6.0, < 3.11.2, < 0.311.2-0.20260410083055-07c6232d159b

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99 (x_refsource_CONFIRM)
https://github.com/prometheus/prometheus/pull/18506 (x_refsource_MISC)
https://github.com/prometheus/prometheus/commit/07c6232d159bfb474a077788be184d87adcfac3c (x_refsource_MISC)