Prometheus Patches Critical Stored XSS in Web UI — CVE-2026-40179

A critical stored cross-site scripting vulnerability has been identified in the Prometheus monitoring platform's web interface. The flaw, tracked as CVE-2026-40179 and catalogued as GHSA-vffh-x6r8-xx99, allows crafted metric names and label values to execute arbitrary JavaScript when rendered in Prometheus web UI tooltips and the metrics explorer. The vulnerability affects deployments running versions prior to the patched release.

The security patch is being distributed through a dependency update, upgrading the Prometheus module from v0.303.1 to v0.311.3. The fix is currently being applied to the release-v2.8 branch, with the update managed via automated pull request. Organizations running affected Prometheus instances are advised to verify their deployment versions and apply the security update without delay. The risk is particularly acute in environments where multiple users access monitoring dashboards, as the malicious payload can be delivered through seemingly innocuous metric labels.

Prometheus, widely deployed as a foundational monitoring and alerting toolkit across cloud-native infrastructure, handles metric collection for thousands of organizations globally. The stored XSS vector is considered especially dangerous because the payload persists within metric data itself, rather than requiring user interaction with a malicious link. Security researchers warn that successful exploitation could enable session hijacking, credential theft, or further network penetration depending on the victim's permissions within the monitoring environment.