Stored cross-site scripting in prometheus - CVE-2026-40179
Published: April 14, 2026
Vulnerability identifier: #VU125920
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-40179
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Prometheus
Affected software:
prometheus
prometheus
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in the victim's browser.
The vulnerability exists due to cross-site scripting in the Prometheus web UI tooltip and metrics explorer components when rendering crafted metric names or label values. A remote user can inject crafted metrics through a compromised scrape target, remote write, or the OTLP receiver endpoint to execute arbitrary script in the victim's browser.
User interaction is required to view the affected metric in the Graph UI, such as hovering over a chart tooltip, opening the Metric Explorer, or hovering over a heatmap cell.
How to mitigate CVE-2026-40179
Install security update from vendor's website.