SB2026041458 - Stored cross-site scripting in prometheus

Description

This security bulletin contains information about 1 security vulnerability.

1) Stored cross-site scripting (CVE-ID: CVE-2026-40179)

The vulnerability allows a remote user to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in the Prometheus web UI tooltip and metrics explorer components when rendering crafted metric names or label values. A remote user can inject crafted metrics through a compromised scrape target, remote write, or the OTLP receiver endpoint to execute arbitrary script in the victim's browser.

User interaction is required to view the affected metric in the Graph UI, such as hovering over a chart tooltip, opening the Metric Explorer, or hovering over a heatmap cell.

Remediation

Install update from vendor's website.

References

• https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99
• https://github.com/advisories/GHSA-vffh-x6r8-xx99