megachangelog
Security3.11.2

Prometheus 3.11.2

This release fixes a stored XSS vulnerability in the Prometheus web UI that could be triggered via crafted metric names and label values in tooltips and the metrics explorer. It also adds a health_filter field to Consul SD for Health API filtering and fixes a bug where the filter parameter was incorrectly applied.

This release has a fix for a Stored XSS vulnerability that can be triggered via crafted metric names and label values in Prometheus web UI tooltips and metrics explorer. Thanks to Duc Anh Nguyen from TinyxLab for reporting it.

  • [SECURITY] UI: Fix stored XSS via unescaped metric names and labels. CVE-2026-40179. #18506
  • [ENHANCEMENT] Consul SD: Introduce health_filter field for Health API filtering. #18499
  • [BUGFIX] Consul SD: Fix filter parameter being incorrectly applied to the Health API. #18499
securityxssuiconsulbugfix

Source: original entry ↗