Lucene search
K
PrometheusPrometheus

6 matches found

CVE
CVE
added 2019/03/26 5:48 p.m.321 views

CVE-2019-3826

Technical details about CVE-2019-3826 are not further provided in the connected documents. The available information originates from the Initial Description (Prometheus 2.7.1 and earlier XSS) with no additional public details in the linked sources. Monitor for updates.

6.1CVSS5.9AI score0.02736EPSS
CVE
CVE
added 2021/05/19 8:0 p.m.257 views

CVE-2021-29622

CVE-2021-29622 affects Prometheus. A bug in the /new endpoint during the 2.23.0 UI migration allows an attacker to craft a URL that redirects users to an arbitrary address. The issue is mitigated by upgrading to versions that patch it (2.26.1 and 2.27.1) and by removing the /new endpoint in 2.28....

6.5CVSS6.4AI score0.1956EPSS
CVE
CVE
added 2026/04/15 10:26 p.m.134 views

CVE-2026-40179

CVE-2026-40179 is a stored XSS in Prometheus web UI. Versions 3.0–3.5.1 and 3.6.0–3.11.1 allow metric names/label values to be injected into innerHTML without escaping, affecting Mantine UI and the old React UI. Attackers who can influence metrics (via compromised scrape target, remote write, or ...

6.1CVSS6AI score0.0024EPSS
CVE
CVE
added 2026/05/26 9:27 p.m.87 views

CVE-2026-44903

CVE-2026-44903 affects Prometheus servers with the legacy web UI enabled. From 2.49.0 up to before 3.5.3 and 3.11.3, histogram heatmap axis tick labels aren’t escaped when inserting metric label values into HTML, allowing an attacker who can inject crafted metrics to run JavaScript in the browser...

6.1CVSS5.9AI score0.00182EPSS
CVE
CVE
added 2026/05/04 6:13 p.m.47 views

CVE-2026-42154

Prometheus (open-source monitoring/time-series database) is affected by CVE-2026-42154. Before versions 3.5.3 and 3.11.3, the remote read endpoint /api/v1/read does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker c...

7.5CVSS5.8AI score0.00733EPSS
CVE
CVE
added 2026/05/04 6:12 p.m.44 views

CVE-2026-42151

Prometheus (open-source monitoring/time-series DB) had a vulnerability in Azure AD remote write OAuth configuration (storage/remote/azuread) where client_secret was stored as a plain string instead of Secret. This caused the client secret to be exposed in plaintext to anyone with access to the /-...

7.5CVSS5.8AI score0.00314EPSS
Web