## Prometheus v0.311.2 Security Patch: Critical XSS Vulnerability in Web UI Exposes Monitoring Systems
A critical security vulnerability in the Prometheus monitoring system has been patched, exposing web interfaces to stored cross-site scripting (XSS) attacks. The flaw, tracked as CVE-2026-40179, allows an attacker to inject malicious HTML and JavaScript into the monitoring dashboard by crafting metric names. This creates a direct path for code execution within the user's browser session, potentially compromising the entire monitoring environment and any systems it has access to.

The vulnerability is present in both the old React UI and the new Mantine UI of Prometheus. The exploit triggers when a user hovers over a chart tooltip on the Graph page. Metric names containing malicious payloads are injected into the `innerHTML` property without proper sanitization or escaping, allowing the embedded scripts to run. This is a classic stored XSS scenario where the attack vector—the crafted metric name—is persisted within the Prometheus database and executed every time the data is visualized.

The patch, delivered in version v0.311.2, addresses this injection flaw. The update is classified as a security fix, indicating high priority. Organizations and developers relying on Prometheus for infrastructure monitoring must apply this update immediately to close the attack vector. Failure to patch leaves administrative and operational dashboards open to session hijacking, credential theft, and further lateral movement within a network, as the Prometheus UI often holds privileged access to system metrics and configuration data.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, CVE-2026-40179, monitoring, open-source
- **Credibility**: unverified
- **Published**: 2026-04-14 21:22:50
- **ID**: 64368
- **URL**: https://whisperx.ai/en/intel/64368