[GHSA-vffh-x6r8-xx99] Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer#8721
Conversation
|
Hi there @roidelapluie! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
|
Curation note: the intended changes in this contribution are the Go module version ranges and the two release references. The removal of the existing CVSS v3 vector ( |
Updates
Comments
Correct the machine-readable Go module ranges to include the Prometheus 3.5.2 LTS backport.
Prometheus's signed v3.5.2 and v3.11.2 releases explicitly identify CVE-2026-40179 as fixed. Prometheus's official module-version script maps server 3.5.2 to module 0.305.2 and server 3.11.2 to module 0.311.2; the corresponding module tags exist and their VERSION files report 3.5.2 and 3.11.2.
This resolves #7537 and prevents the patched v0.305.2 module release from being falsely treated as vulnerable.
Evidence: