Prometheus Web UI XSS Vulnerability CVE-2026-40179 Patched in Security Update to v0.311.2

A critical stored cross-site scripting (XSS) vulnerability in the Prometheus monitoring system's web interface has been addressed through an emergency dependency update. The flaw, tracked as CVE-2026-40179, allows attackers to inject malicious HTML or JavaScript code via specially crafted metric names, which then execute when users interact with chart tooltips in the web UI.

The vulnerability affects both the legacy React UI and the newer Mantine UI implementation. When a user hovers over a chart tooltip on the Graph page, metric names are rendered using `innerHTML` without proper escaping, enabling stored XSS attacks. This means an attacker who can influence metric names ingested into Prometheus can achieve persistent code execution in the browsers of anyone viewing those metrics through the web interface. The patched version, v0.311.2, replaces the vulnerable v0.303.1 release.

Prometheus is one of the most widely deployed open-source monitoring and alerting systems globally, commonly used in Kubernetes environments and cloud-native infrastructure stacks. The affected versions expose any user with access to the Prometheus web UI to potential session hijacking, credential theft, or further network intrusion through the injected scripts. Organizations running self-hosted Prometheus instances should verify their deployment versions and apply the security update immediately. Given the system's role in infrastructure visibility, successful exploitation could provide attackers with a persistent foothold into monitoring infrastructure and potentially adjacent systems.