Prometheus v0.311.2 Patches Critical XSS Vulnerability in Web UI (CVE-2026-40179)

A critical security vulnerability in Prometheus, the widely used open-source monitoring system, has been patched in version 0.311.2. The flaw, tracked as CVE-2026-40179, is a stored cross-site scripting (XSS) vulnerability that allows for remote code execution within the Prometheus web interface. The update is marked as a security fix, indicating its high priority for any organization using the tool for infrastructure and application monitoring.

The vulnerability resides in how the Prometheus web UI handles metric names. When a user hovers over a chart tooltip on the Graph page, metric names containing malicious HTML or JavaScript code are injected directly into the `innerHTML` property without proper sanitization or escaping. This affects both the older React UI and the newer Mantine-based UI. An attacker could craft a malicious metric name that, when scraped and displayed by Prometheus, would execute arbitrary JavaScript in the context of the user's browser session, potentially leading to session hijacking, data theft, or further system compromise.

The patch, released as part of the routine dependency update from v0.309.1 to v0.311.2, underscores the persistent security risks in foundational DevOps and SRE tooling. Given Prometheus's role as a central nervous system for cloud-native environments, this vulnerability presents a significant attack vector. System administrators and platform teams must prioritize this update to mitigate the risk of attackers exploiting monitoring data—a core component of system observability—as a vehicle for a client-side attack.