Skip to main content

Prometheus CVE-2026-44903

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-26 GitHub_M
5.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
4.6 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
May 27, 2026 - 00:14 vuln.today
Analysis Generated
May 27, 2026 - 00:14 vuln.today
CVSS changed
May 26, 2026 - 22:22 NVD
5.1 (MEDIUM)
CVE Published
May 26, 2026 - 21:27 nvd
UNKNOWN (no severity yet)

DescriptionGitHub Advisory

Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI (enabled via the command-line flag --enable-feature=old-ui), the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels. An attacker who can inject crafted metrics can execute JavaScript in the browser of any Prometheus user who views the metric in the heatmap chart UI. This vulnerability is fixed in 3.5.3 and 3.11.3.

AnalysisAI

Stored cross-site scripting in Prometheus versions 2.49.0 through 3.5.2/3.11.2 allows a low-privileged attacker who can inject crafted histogram metrics to execute arbitrary JavaScript in the browser of any user who views the affected metric in the legacy heatmap chart UI. Exploitation requires the non-default --enable-feature=old-ui flag to be set and the victim to navigate to the specific heatmap view. No public exploit code has been identified at time of analysis, but the vulnerability is technically straightforward - a missing escapeHTML() call on le label values rendered as axis tick labels in Graph.tsx. This is the third stored DOM XSS in Prometheus's web UI in recent years, following CVE-2019-10215 and CVE-2026-40179.

Technical ContextAI

Prometheus (cpe:2.3:a:prometheus:prometheus:*:*:*:*:*:*:*:*) is a Go-based monitoring platform with a React frontend. The legacy web UI, re-enabled via --enable-feature=old-ui, renders histogram heatmap charts using Flot. In web/ui/react-app/src/pages/graph/Graph.tsx, the yaxis.tickFormatter callback directly interpolated data[val - 1].labels.le - the upper-bound label of histogram buckets - into the DOM as raw HTML without sanitization. CWE-79 (Improper Neutralization of Input During Web Page Generation) is the root cause: user-controlled data flows from ingested metric labels through storage into an HTML rendering context with no escaping applied. The fix (commit 38f23b9075ced1de2b82d2dad8b2bebb1ecd5b7d) wraps the value with the existing escapeHTML() utility already present in the codebase. Metric label values enter Prometheus via scrape targets, the remote write receiver (--web.enable-remote-write-receiver), or the OTLP receiver (--web.enable-otlp-receiver), making this a stored XSS with multiple injection vectors.

RemediationAI

Upgrade Prometheus to version 3.5.3 or 3.11.3, which contain the fix confirmed in commit 38f23b9075ced1de2b82d2dad8b2bebb1ecd5b7d (https://github.com/prometheus/prometheus/commit/38f23b9075ced1de2b82d2dad8b2bebb1ecd5b7d). The patch adds escapeHTML() around the le label value in the heatmap tick formatter and fully resolves the vulnerability. If upgrading immediately is not possible, the most effective workaround is removing the --enable-feature=old-ui command-line flag - this disables the vulnerable code path entirely with no monitoring functionality loss since the modern UI is the default. If the legacy UI cannot be disabled, apply the following compensating controls: restrict or disable the remote write receiver (--web.enable-remote-write-receiver) and OTLP receiver (--web.enable-otlp-receiver) if not required, as these are primary external injection vectors; audit and confirm all scrape targets are trusted and not under adversarial control; do not enable --web.enable-admin-api or --web.enable-lifecycle if untrusted metric sources are present, as XSS could be used to invoke those endpoints. Note that scrape target trust is an operational control - network-level restrictions or allowlisting may be required to enforce it reliably.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
SUSE Manager Client Tools 15 Fixed
SUSE Manager Client Tools for SLE 15 Fixed

Share

CVE-2026-44903 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy