## Prometheus Web UI Exposed to Stored XSS via Crafted Metric Names (CVE-2026-40179)
A critical stored cross-site scripting (XSS) vulnerability has been disclosed in the Prometheus monitoring system, exposing its web UI to potential exploitation. The flaw, tracked as CVE-2026-40179, allows an attacker to inject malicious HTML or JavaScript into the system via specially crafted metric names. This stored payload is then executed in the browsers of other users when they interact with the affected UI components, creating a persistent threat vector within monitoring dashboards.

The vulnerability resides in the handling of metric names within the Prometheus web UI's Graph page. When a user hovers over a chart tooltip, the system injects the metric name directly into the `innerHTML` property without proper sanitization or escaping. This failure to validate and escape user-supplied input affects both the legacy React UI and the newer Mantine-based UI, indicating a systemic security oversight in the core rendering logic for visualizations. The update from version v0.310.0 to v0.311.2 specifically patches this flaw.

This security gap presents a significant risk for organizations using Prometheus for infrastructure and application monitoring. An attacker with the ability to push malicious metric names—potentially through compromised exporters, scripts, or other data ingestion paths—could hijack user sessions, deface dashboards, or perform actions on behalf of authenticated administrators. The fix underscores the persistent challenge of securing visualization layers in complex observability platforms, where data from untrusted sources is routinely displayed.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, CVE, monitoring, open-source
- **Credibility**: unverified
- **Published**: 2026-04-14 17:22:38
- **ID**: 64099
- **URL**: https://whisperx.ai/en/intel/64099