data/reports: review 1 report Updates golang/vulndb#5662 Fixes golang/vulndb#5840 Fixes golang/vulndb#5796 Change-Id: I0dd79926b11638d83a129d3a82bbfbe2714ff12f Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/798300 Auto-Submit: Neal Patel <nealpatel@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/osv/GO-2026-5662.json b/data/osv/GO-2026-5662.json index f7c2d9a..ceefba4 100644 --- a/data/osv/GO-2026-5662.json +++ b/data/osv/GO-2026-5662.json
@@ -7,8 +7,8 @@ "CVE-2026-40179", "GHSA-vffh-x6r8-xx99" ], - "summary": "Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer in github.com/prometheus/prometheus", - "details": "Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer in github.com/prometheus/prometheus.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .", + "summary": "Prometheus has Stored XSS via metric names and label values in Prometheus web UI in github.com/prometheus/prometheus", + "details": "Prometheus has Stored XSS via metric names and label values in Prometheus web UI in github.com/prometheus/prometheus", "affected": [ { "package": { @@ -21,62 +21,6 @@ "events": [ { "introduced": "0" - } - ] - } - ], - "ecosystem_specific": { - "custom_ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "3.6.0" - } - ] - } - ] - } - }, - { - "package": { - "name": "github.com/prometheus/prometheus", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - } - ] - } - ], - "ecosystem_specific": { - "custom_ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "3.0.0" - } - ] - } - ] - } - }, - { - "package": { - "name": "github.com/prometheus/prometheus", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" }, { "fixed": "0.311.2-0.20260410083055-07c6232d159b" @@ -84,7 +28,27 @@ ] } ], - "ecosystem_specific": {} + "ecosystem_specific": { + "custom_ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.5.2" + }, + { + "introduced": "3.6.0" + }, + { + "fixed": "3.11.2" + } + ] + } + ] + } } ], "references": [ @@ -93,10 +57,6 @@ "url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99" }, { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40179" - }, - { "type": "FIX", "url": "https://github.com/prometheus/prometheus/commit/07c6232d159bfb474a077788be184d87adcfac3c" }, @@ -107,6 +67,6 @@ ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2026-5662", - "review_status": "UNREVIEWED" + "review_status": "REVIEWED" } } \ No newline at end of file
diff --git a/data/reports/GO-2026-5662.yaml b/data/reports/GO-2026-5662.yaml index d42e371..6ce2fda 100644 --- a/data/reports/GO-2026-5662.yaml +++ b/data/reports/GO-2026-5662.yaml
@@ -1,36 +1,26 @@ id: GO-2026-5662 modules: - module: github.com/prometheus/prometheus - non_go_versions: - - introduced: 3.6.0 - unsupported_versions: - - last_affected: 3.11.1 - vulnerable_at: 0.312.0 - - module: github.com/prometheus/prometheus - non_go_versions: - - introduced: 3.0.0 - unsupported_versions: - - last_affected: 3.5.1 - vulnerable_at: 0.312.0 - - module: github.com/prometheus/prometheus versions: - fixed: 0.311.2-0.20260410083055-07c6232d159b + non_go_versions: + - introduced: 3.0.0 + - fixed: 3.5.2 + - introduced: 3.6.0 + - fixed: 3.11.2 vulnerable_at: 0.311.1 summary: |- Prometheus has Stored XSS via metric names and label values in Prometheus web UI - tooltips and metrics explorer in github.com/prometheus/prometheus + in github.com/prometheus/prometheus cves: - CVE-2026-40179 ghsas: - GHSA-vffh-x6r8-xx99 references: - advisory: https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99 - - advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-40179 - fix: https://github.com/prometheus/prometheus/commit/07c6232d159bfb474a077788be184d87adcfac3c - fix: https://github.com/prometheus/prometheus/pull/18506 -notes: - - fix: 'module merge error: could not merge versions of module github.com/prometheus/prometheus: introduced and fixed versions must alternate' source: id: GHSA-vffh-x6r8-xx99 created: 2026-06-25T15:46:19.777474719-04:00 -review_status: UNREVIEWED +review_status: REVIEWED