Prometheus Patches Critical Stored XSS Vulnerability in Web UI — Users Urged to Update

A critical stored cross-site scripting vulnerability has been identified and patched in Prometheus, the widely deployed open-source monitoring and alerting toolkit. The flaw, tracked as CVE-2026-40179, allows attackers to inject malicious scripts through crafted metric names and label values that execute when displayed in the Prometheus web UI tooltips and metrics explorer.

The vulnerability affects Prometheus versions prior to v0.311.3, with the security patch upgrading the project from v0.304.2. The upgrade specifically addresses the injection vector targeting metric names and label values rendered in the web interface. Organizations running self-hosted Prometheus instances face direct exposure, as successful exploitation could allow session hijacking, credential theft, or further network compromise when administrators view affected metrics through the UI.

Prometheus serves as a foundational monitoring component across cloud-native infrastructure, DevOps pipelines, and enterprise observability stacks. The severity rating and the fact that the payload executes persistently—meaning it activates each time the crafted metric is viewed—raise the risk profile significantly. Security teams maintaining internal deployments should treat this update as high priority and verify that all web-facing Prometheus instances are running v0.311.3 or later. The vulnerability has been assigned BIT-prometheus-2026-40179 and is also documented under GHSA-vffh-x6r8-xx99.