6 matches found
CVE-2019-3826
Technical details about CVE-2019-3826 are not further provided in the connected documents. The available information originates from the Initial Description (Prometheus 2.7.1 and earlier XSS) with no additional public details in the linked sources. Monitor for updates.
CVE-2021-29622
CVE-2021-29622 affects Prometheus. A bug in the /new endpoint during the 2.23.0 UI migration allows an attacker to craft a URL that redirects users to an arbitrary address. The issue is mitigated by upgrading to versions that patch it (2.26.1 and 2.27.1) and by removing the /new endpoint in 2.28....
CVE-2026-40179
CVE-2026-40179 is a stored XSS in Prometheus web UI. Versions 3.0–3.5.1 and 3.6.0–3.11.1 allow metric names/label values to be injected into innerHTML without escaping, affecting Mantine UI and the old React UI. Attackers who can influence metrics (via compromised scrape target, remote write, or ...
CVE-2026-44903
CVE-2026-44903 affects Prometheus servers with the legacy web UI enabled. From 2.49.0 up to before 3.5.3 and 3.11.3, histogram heatmap axis tick labels aren’t escaped when inserting metric label values into HTML, allowing an attacker who can inject crafted metrics to run JavaScript in the browser...
CVE-2026-42154
Prometheus (open-source monitoring/time-series database) is affected by CVE-2026-42154. Before versions 3.5.3 and 3.11.3, the remote read endpoint /api/v1/read does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker c...
CVE-2026-42151
Prometheus (open-source monitoring/time-series DB) had a vulnerability in Azure AD remote write OAuth configuration (storage/remote/azuread) where client_secret was stored as a plain string instead of Secret. This caused the client secret to be exposed in plaintext to anyone with access to the /-...