| id: GO-2026-5662 |
| modules: |
| - module: github.com/prometheus/prometheus |
| versions: |
| - fixed: 0.311.2-0.20260410083055-07c6232d159b |
| non_go_versions: |
| - introduced: 3.0.0 |
| - fixed: 3.5.2 |
| - introduced: 3.6.0 |
| - fixed: 3.11.2 |
| vulnerable_at: 0.311.1 |
| summary: |- |
| Prometheus has Stored XSS via metric names and label values in Prometheus web UI |
| in github.com/prometheus/prometheus |
| cves: |
| - CVE-2026-40179 |
| ghsas: |
| - GHSA-vffh-x6r8-xx99 |
| references: |
| - advisory: https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99 |
| - fix: https://github.com/prometheus/prometheus/commit/07c6232d159bfb474a077788be184d87adcfac3c |
| - fix: https://github.com/prometheus/prometheus/pull/18506 |
| source: |
| id: GHSA-vffh-x6r8-xx99 |
| created: 2026-06-25T15:46:19.777474719-04:00 |
| review_status: REVIEWED |