Description
Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI (enabled via the command-line flag --enable-feature=old-ui), the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels. An attacker who can inject crafted metrics can execute JavaScript in the browser of any Prometheus user who views the metric in the heatmap chart UI. This vulnerability is fixed in 3.5.3 and 3.11.3.
Published: 2026-05-26
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prometheus uses a legacy web UI feature that displays histogram bucket labels as axis tick marks in the heatmap chart. The UI does not escape these label values, so an attacker who can inject crafted metric data can embed arbitrary JavaScript. When any user opens the heatmap chart, the malicious script runs in that user’s browser, enabling client‑side code execution.

Affected Systems

Versions of the Prometheus server from 2.49.0 up to before 3.5.3, and from 3.11.0 up to before 3.11.3, are affected if the legacy UI is enabled with the --enable-feature=old-ui flag. Later releases or deployments that do not enable this flag are not vulnerable.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply malicious metric labels, typically through a compromised or malicious exporter or data source. Once the injection path exists, any user who views the heatmap chart will have the malicious script executed in their browser.

Generated by OpenCVE AI on May 26, 2026 at 22:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Prometheus to version 3.5.3, 3.11.3 or later to apply the fix for escaped label handling.
  • If an upgrade cannot be performed immediately, disable the legacy UI by removing the --enable-feature=old-ui flag from the server configuration.
  • Audit the metrics exposed by the server to verify that none contain malicious or unescaped label values, ensuring that potential injection vectors have been eliminated.

Generated by OpenCVE AI on May 26, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fw8g-cg8f-9j28 Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display
History

Fri, 05 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:prometheus:prometheus:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Prometheus
Prometheus prometheus
Vendors & Products Prometheus
Prometheus prometheus

Tue, 26 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI (enabled via the command-line flag --enable-feature=old-ui), the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels. An attacker who can inject crafted metrics can execute JavaScript in the browser of any Prometheus user who views the metric in the heatmap chart UI. This vulnerability is fixed in 3.5.3 and 3.11.3.
Title Prometheus: Stored XSS via crafted histogram bucket label values in the heatmap display of the old Prometheus web UI
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Prometheus Prometheus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T14:20:35.919Z

Reserved: 2026-05-07T21:50:33.547Z

Link: CVE-2026-44903

cve-icon Vulnrichment

Updated: 2026-05-27T14:20:32.176Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T22:16:43.010

Modified: 2026-06-05T17:18:32.477

Link: CVE-2026-44903

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T23:00:17Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')