GHSA-FW8G-CG8F-9J28: GHSA-FW8G-CG8F-9J28: Stored Cross-Site Scripting in Prometheus Legacy Web UI…

1 / 2

GHSA-FW8G-CG8F-9J28: GHSA-FW8G-CG8F-9J28: Stored Cross-Site Scripting in Prometheus Legacy Web UI Heatmap

DEV Community·CVE Reports·27 days ago

#vIAFWQMt

#exploit #security #cve #cybersecurity #prometheus #legacy

Reading 0:00

15s threshold

GHSA-FW8G-CG8F-9J28: Stored Cross-Site Scripting in Prometheus Legacy Web UI Heatmap Vulnerability ID: GHSA-FW8G-CG8F-9J28 CVSS Score: 6.5 Published: 2026-05-05 Prometheus versions prior to 3.11.3 contain a Stored Cross-Site Scripting (XSS) vulnerability in the legacy web UI's heatmap visualization component. An attacker can inject arbitrary JavaScript by providing malicious le (less-than-or-equal) bucket labels within scraped metrics. When an administrator views the heatmap in the legacy UI, the payload executes within their browser context, potentially leading to unauthorized configuration access or actions performed on behalf of the user. TL;DR A stored XSS vulnerability in the Prometheus legacy web UI allows attackers to execute arbitrary JavaScript via maliciously crafted histogram bucket labels, affecting versions prior to 3.11.3.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

GHSA-FW8G-CG8F-9J28: GHSA-FW8G-CG8F-9J28: Stored Cross-Site Scripting in Prometheus Legacy Web UI Heatmap