#VU125920 Stored cross-site scripting in prometheus - CVE-2026-40179
Published: April 14, 2026
Vulnerability identifier: #VU125920
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-40179
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
prometheus
prometheus
Software vendor:
Prometheus
Prometheus
Description
The vulnerability allows a remote user to execute arbitrary script in the victim's browser.
The vulnerability exists due to cross-site scripting in the Prometheus web UI tooltip and metrics explorer components when rendering crafted metric names or label values. A remote user can inject crafted metrics through a compromised scrape target, remote write, or the OTLP receiver endpoint to execute arbitrary script in the victim's browser.
User interaction is required to view the affected metric in the Graph UI, such as hovering over a chart tooltip, opening the Metric Explorer, or hovering over a heatmap cell.
Remediation
Install security update from vendor's website.