GHSA-vffh-x6r8-xx99 · 深刻度: medium · エコシステム: go — Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer
Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without escaping. In both the Mantine UI and old React UI, chart tooltips on the Graph page render metric names containing HTML/JavaScript without sanitization. In the old React UI, the Metric Explorer fuzzy search results use dangerouslySetInnerHTML without escaping, and heatmap cell tooltips interpolate le label values without sanitization. With Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like <, >, and " are now valid in metric names and labels. An attacker who can inject metrics via a compromised scrape target, remote write, or OTLP receiver endpoint can execute arbitrary JavaScript in the browser of any Prometheus user who views the metric in the Graph UI, potentially enabling configuration exfiltration, data deletion, or Prometheus shutdown depending on enabled flags. This issue has been fixed in versions 3.5.2 and 3.11.2. If developers are unable to immediately update, the following workarounds are recommended: ensure that the remote write receiver (--web.enable-remote-write-receiver) and the OTLP receiver (--web.enable-otlp-receiver) are not exposed to untrusted sources; verify that all scrape targets are trusted and not under attacker control; avoid enabling admin or mutating API endpoints (e.g., --web.enable-admin-api or --web.enable-lifecycle) in environments where untrusted data may be ingested; and refrain from clicking untrusted links, particularly those containing functions such as label_replace, as they may generate poisoned label names and values.
総合評価: CVE-2026-40179 は低リスク(26.6/100)。CVSS 深刻度は中。悪用される可能性が高い(EPSS 0.24%、15 パーセンタイル) 推奨対応: 悪用情報と EPSS の推移を監視し、必要に応じて優先度を見直してください。
リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。
EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。
| # | 日付 | 旧 EPSS スコア | 新 EPSS スコア | Δ(新 − 旧) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.01% | 0.24% | +0.22% |
| 2 | 2026-04-16 | — | 0.01% | — |
EPSS の全履歴 (全 2 件)
この CVE の CVSS 指標。
| ベーススコア | バージョン | 深刻度 | ベクトル | 悪用しやすさ | 影響 | スコアの出典 |
|---|---|---|---|---|---|---|
| 5.3 | 4.0 | MEDIUM |
|
— | — | [email protected] |
| 6.1 | 3.1 | MEDIUM |
|
2.8 | 2.7 | [email protected] |
GHSA-vffh-x6r8-xx99 · 深刻度: medium · エコシステム: go — Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2026-40179 unimportant priority: Debian including 1 source packages (prometheus), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2026-40179 |
suse
|
medium | — | https://www.suse.com/security/cve/CVE-2026-40179/ |
ubuntu
|
medium | CVE-2026-40179 medium priority: Ubuntu including 1 source packages (prometheus), 8 status rows across 8 suites (bionic, focal, jammy, noble, questing, resolute, upstream, xenial): needs-triage 7, not-affected 1. | https://ubuntu.com/security/CVE-2026-40179 |
| ベンダー | 製品 | バージョン | 生の CPE |
|---|---|---|---|
| prometheus | prometheus | >= 3.0.0, < 3.5.2 | cpe:2.3:a:prometheus:prometheus:*:*:*:*:*:*:*:* |
| prometheus | prometheus | >= 3.6.0, < 3.11.2 | cpe:2.3:a:prometheus:prometheus:*:*:*:*:*:*:*:* |
| URL | タグ |
|---|---|
| https://github.com/prometheus/prometheus/commit/07c6232d159bfb474a077788be184d87adcfac3c | Patch |
| https://github.com/prometheus/prometheus/pull/18506 | Issue Tracking Patch |
| https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99 | Mitigation Vendor Advisory |