1398 matches found
GHSA-FW8G-CG8F-9J28 vulnerabilities
Vulnerabilities for packages: keda, telegraf, jaeger, mcp-grafana, opentelemetry-collector, datadog-agent, certificate-transparency, mc, cloud-sql-proxy, minio, node-problem-detector, trillian, karma, prometheus, minio-object-browser, metrics-server, splunk-otel-collector,...
GHSA-FW8G-CG8F-9J28 vulnerabilities
Vulnerabilities for packages: agentbeat, karma-fips, ld-relay-fips, prometheus-pushgateway, metrics-server, telegraf, minio-object-browser-fips, node-problem-detector-fips, prometheus-fips, node-problem-detector, certificate-transparency-fips, istio, mcp-grafana-fips, certificate-transparency,...
BIT-PROMETHEUS-2026-42154 Prometheus: remote read endpoint allows denial of service via crafted snappy payload
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint /api/v1/read does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a sma...
BIT-PROMETHEUS-2026-42151 Prometheus Azure AD remote write OAuth client secret exposed via config API
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the clientsecret field in the Azure AD remote write OAuth configuration storage/remote/azuread was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving...
SUSE CVE-2026-42151
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the clientsecret field in the Azure AD remote write OAuth configuration storage/remote/azuread was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving...
SUSE CVE-2026-42154
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint /api/v1/read does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a sma...
Linux Distros Unpatched Vulnerability : CVE-2026-42154
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint /api/v1/read does not...
PT-2026-38078
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client secret field in the Azure AD remote write OAuth configuration storage/remote/azuread was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving...
Linux Distros Unpatched Vulnerability : CVE-2026-42151
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the clientsecret field in the Azure AD remote write...
PT-2026-38079
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint /api/v1/read does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a sma...
GHSA-FW8G-CG8F-9J28 Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display
Impact In the Prometheus server's legacy web UI enabled via the command-line flag --enable-feature=old-ui, the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels. An attacker who can inject crafted metrics e.g. via a...
Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display
Impact In the Prometheus server's legacy web UI enabled via the command-line flag --enable-feature=old-ui, the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels. An attacker who can inject crafted metrics e.g. via a...
EUVD-2026-27091
Prometheus: Remote read endpoint allows denial of service via crafted snappy payload...
GHSA-WG65-39GG-5WFJ Prometheus Azure AD remote write OAuth client secret exposed via config API
Impact Users who use Azure AD remote write with OAuth authentication are impacted. The clientsecret field in the Azure AD remote write OAuth configuration storage/remote/azuread was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the...
EUVD-2026-27089
Prometheus Azure AD remote write OAuth client secret exposed via config API...
golang-github-prometheus-prometheus-3.11.3-1.1 on GA media (moderate)
golang-github-prometheus-prometheus-3.11.3-1.1 on GA media Announcement ID: openSUSE-SU-2026:10676-1 Rating: moderate Cross-References: CVE-2026-42151 CVE-2026-42154 CVSS scores: CVE-2026-42151 SUSE : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2026-42154 SUSE : 7.5...
PT-2026-40721
Name of the Vulnerable Software and Affected Versions Prometheus versions 2.49.0 through 3.5.2 Prometheus versions 3.11.0 through 3.11.2 Description In the legacy web UI, which is enabled via the --enable-feature=old-ui command-line flag, the histogram heatmap chart view fails to escape label...
Memory Allocation with Excessive Size Value
Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the remote read endpoint when processing snappy-compressed request bodies. An attacker can cause excessive memory allocation and crash the process by sending specially crafted payloads...
CVE-2026-42151
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the clientsecret field in the Azure AD remote write OAuth configuration storage/remote/azuread was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving...
DEBIAN-CVE-2026-42151
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the clientsecret field in the Azure AD remote write OAuth configuration storage/remote/azuread was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving...