Security3.5.2
Fix stored XSS via unescaped metric names and labels in web UI
This release patches a stored XSS vulnerability (CVE-2026-40179) that could be triggered through crafted metric names and label values in the Prometheus web UI tooltips and metrics explorer. Additionally, regex performance is improved by removing unnecessary Simplify calls.
This release has a fix for a Stored XSS vulnerability that can be triggered via crafted metric names and label values in Prometheus web UI tooltips and metrics explorer. Thanks to Duc Anh Nguyen from TinyxLab for reporting it.
- [SECURITY] UI: Fix stored XSS via unescaped metric names and labels. CVE-2026-40179. #18507
- [PERF] Regex: Stop calling Simplify. #17908
securityxssuicveperformanceregex
Source: original entry ↗