1398 matches found
Prometheus Blackbox Exporter - Server-Side Request Forgery (SSRF)
Prometheus Blackbox Exporter through 0.17.0 contains a server-side request forgery caused by unsanitized target parameter in /probe, letting attackers perform SSRF attacks, exploit requires sending crafted target parameter. id: CVE-2020-16248 info: name: Prometheus Blackbox Exporter - Server-Side...
Prometheus - Open Redirect
Prometheus 2.23.0 through 2.26.0 and 2.27.0 contains an open redirect vulnerability. To ensure a seamless transition to 2.27.0, the default UI was changed to the new UI with a URL prefixed by /new redirect to /. Due to a bug in the code, an attacker can redirect a user to a malicious site and...
CVE-2026-25680 affecting package prometheus-adapter for versions less than 0.12.0-6
CVE-2026-25680 affecting package prometheus-adapter for versions less than 0.12.0-6. A patched version of the package is available...
CVE-2026-39821 affecting package prometheus-node-exporter for versions less than 1.7.0-4
CVE-2026-39821 affecting package prometheus-node-exporter for versions less than 1.7.0-4. A patched version of the package is available...
CVE-2026-25681 affecting package prometheus-adapter for versions less than 0.12.0-6
CVE-2026-25681 affecting package prometheus-adapter for versions less than 0.12.0-6. A patched version of the package is available...
CVE-2026-42506 affecting package prometheus-adapter for versions less than 0.12.0-6
CVE-2026-42506 affecting package prometheus-adapter for versions less than 0.12.0-6. A patched version of the package is available...
CVE-2026-27136 affecting package prometheus-adapter for versions less than 0.12.0-6
CVE-2026-27136 affecting package prometheus-adapter for versions less than 0.12.0-6. A patched version of the package is available...
CVE-2026-42502 affecting package prometheus-adapter for versions less than 0.12.0-6
CVE-2026-42502 affecting package prometheus-adapter for versions less than 0.12.0-6. A patched version of the package is available...
CVE-2026-39821 affecting package prometheus-adapter for versions less than 0.12.0-6
CVE-2026-39821 affecting package prometheus-adapter for versions less than 0.12.0-6. A patched version of the package is available...
CVE-2026-39821 affecting package prometheus-process-exporter for versions less than 0.8.2-4
CVE-2026-39821 affecting package prometheus-process-exporter for versions less than 0.8.2-4. A patched version of the package is available...
Ironic Standalone Operator's prometheus metrics exporter bound to all interfaces
Impact The Ironic Standalone Operator IRSO is the operator to maintain an Ironic deployment for Metal3. The Prometheus metrics exporter binds to 0.0.0.0 all network interfaces by default with no authentication. The default config is disabled. If enabled, this exposes operational metrics to any ho...
GHSA-7CWM-FPFH-RRCH Ironic Standalone Operator's prometheus metrics exporter bound to all interfaces
Impact The Ironic Standalone Operator IRSO is the operator to maintain an Ironic deployment for Metal3. The Prometheus metrics exporter binds to 0.0.0.0 all network interfaces by default with no authentication. The default config is disabled. If enabled, this exposes operational metrics to any ho...
BIT-PROMETHEUS-2026-44903 Prometheus: Stored XSS via crafted histogram bucket label values in the heatmap display of the old Prometheus web UI
Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI enabled via the command-line flag --enable-feature=old-ui, the histogram heatmap chart view does not escape le label values when inserting them...
Linux Distros Unpatched Vulnerability : CVE-2026-44903
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI enable...
CVE-2026-44902
opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint default 0.0.0.0:9464 has no error handling around URL parsing, so a request with an invalid...
CVE-2026-44902
opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint default 0.0.0.0:9464 has no error handling around URL parsing, so a request with an invalid...
CVE-2026-44902
Summary: CVE-2026-44902 affects the OpenTelemetry JS client, specifically the Prometheus exporter in opentelemetry-js prior to 0.217.0. A single malformed HTTP request to the default metrics endpoint (0.0.0.0:9464) has no URL parsing error handling, causing an uncaught TypeError that crashes the ...
CVE-2026-44902 opentelemetry-js: Prometheus exporter process crash via malformed HTTP request
opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint default 0.0.0.0:9464 has no error handling around URL parsing, so a request with an invalid...
EUVD-2026-32538
opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint default 0.0.0.0:9464 has no error handling around URL parsing, so a request with an invalid...
CVE-2026-44902 opentelemetry-js: Prometheus exporter process crash via malformed HTTP request
opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint default 0.0.0.0:9464 has no error handling around URL parsing, so a request with an invalid...