Fabre

#1138261 prometheus: CVE-2026-44903 #1138261

Package:: src:prometheus

Source:: src:prometheus

Submitter:: Salvatore Bonaccorso

Date:: 2026-05-30 08:19:02 UTC

Severity:: normal

Tags:

#1138261#5

Date:: 2026-05-30 08:17:31 UTC

From:

To:

Hi,

The following vulnerability was published for prometheus.

CVE-2026-44903[0]:
| Prometheus is an open-source monitoring system and time series
| database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus
| server's legacy web UI (enabled via the command-line flag --enable-
| feature=old-ui), the histogram heatmap chart view does not escape le
| label values when inserting them into the HTML for use as axis tick
| mark labels. An attacker who can inject crafted metrics can execute
| JavaScript in the browser of any Prometheus user who views the
| metric in the heatmap chart UI. This vulnerability is fixed in 3.5.3
| and 3.11.3.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-44903
https://www.cve.org/CVERecord?id=CVE-2026-44903
[1] https://github.com/prometheus/prometheus/security/advisories/GHSA-fw8g-cg8f-9j28

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1138261 prometheus: CVE-2026-44903 #1138261

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)