Vulnerability-Lookup

OPENSUSE-SU-2026:10607-1

Vulnerability from csaf_opensuse - Published: 2026-04-23 00:00 - Updated: 2026-04-23 00:00

Summary

golang-github-prometheus-prometheus-3.11.2-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: golang-github-prometheus-prometheus-3.11.2-1.1 on GA media

Description of the patch: These are all security issues fixed in the golang-github-prometheus-prometheus-3.11.2-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10607

CVE-2026-40179

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-prometheus-3.11.2-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-prometheus-3.11.2-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-prometheus-3.11.2-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-prometheus-3.11.2-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

5 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2026-40179/	self
https://www.suse.com/security/cve/CVE-2026-40179	external
https://bugzilla.suse.com/1262222	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "golang-github-prometheus-prometheus-3.11.2-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the golang-github-prometheus-prometheus-3.11.2-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10607",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10607-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-40179 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-40179/"
      }
    ],
    "title": "golang-github-prometheus-prometheus-3.11.2-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-04-23T00:00:00Z",
      "generator": {
        "date": "2026-04-23T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10607-1",
      "initial_release_date": "2026-04-23T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-04-23T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-github-prometheus-prometheus-3.11.2-1.1.aarch64",
                "product": {
                  "name": "golang-github-prometheus-prometheus-3.11.2-1.1.aarch64",
                  "product_id": "golang-github-prometheus-prometheus-3.11.2-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-github-prometheus-prometheus-3.11.2-1.1.ppc64le",
                "product": {
                  "name": "golang-github-prometheus-prometheus-3.11.2-1.1.ppc64le",
                  "product_id": "golang-github-prometheus-prometheus-3.11.2-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-github-prometheus-prometheus-3.11.2-1.1.s390x",
                "product": {
                  "name": "golang-github-prometheus-prometheus-3.11.2-1.1.s390x",
                  "product_id": "golang-github-prometheus-prometheus-3.11.2-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-github-prometheus-prometheus-3.11.2-1.1.x86_64",
                "product": {
                  "name": "golang-github-prometheus-prometheus-3.11.2-1.1.x86_64",
                  "product_id": "golang-github-prometheus-prometheus-3.11.2-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-github-prometheus-prometheus-3.11.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:golang-github-prometheus-prometheus-3.11.2-1.1.aarch64"
        },
        "product_reference": "golang-github-prometheus-prometheus-3.11.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-github-prometheus-prometheus-3.11.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:golang-github-prometheus-prometheus-3.11.2-1.1.ppc64le"
        },
        "product_reference": "golang-github-prometheus-prometheus-3.11.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-github-prometheus-prometheus-3.11.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:golang-github-prometheus-prometheus-3.11.2-1.1.s390x"
        },
        "product_reference": "golang-github-prometheus-prometheus-3.11.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-github-prometheus-prometheus-3.11.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:golang-github-prometheus-prometheus-3.11.2-1.1.x86_64"
        },
        "product_reference": "golang-github-prometheus-prometheus-3.11.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-40179",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-40179"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without escaping. In both the Mantine UI and old React UI, chart tooltips on the Graph page render metric names containing HTML/JavaScript without sanitization. In the old React UI, the Metric Explorer fuzzy search results use dangerouslySetInnerHTML without escaping, and heatmap cell tooltips interpolate le label values without sanitization. With Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like \u003c, \u003e, and \" are now valid in metric names and labels. An attacker who can inject metrics via a compromised scrape target, remote write, or OTLP receiver endpoint can execute arbitrary JavaScript in the browser of any Prometheus user who views the metric in the Graph UI, potentially enabling configuration exfiltration, data deletion, or Prometheus shutdown depending on enabled flags. This issue has been fixed in versions 3.5.2 and 3.11.2. If developers are unable to immediately update, the following workarounds are recommended: ensure that the remote write receiver (--web.enable-remote-write-receiver) and the OTLP receiver (--web.enable-otlp-receiver) are not exposed to untrusted sources; verify that all scrape targets are trusted and not under attacker control; avoid enabling admin or mutating API endpoints (e.g., --web.enable-admin-api or --web.enable-lifecycle) in environments where untrusted data may be ingested; and refrain from clicking untrusted links, particularly those containing functions such as label_replace, as they may generate poisoned label names and values.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:golang-github-prometheus-prometheus-3.11.2-1.1.aarch64",
          "openSUSE Tumbleweed:golang-github-prometheus-prometheus-3.11.2-1.1.ppc64le",
          "openSUSE Tumbleweed:golang-github-prometheus-prometheus-3.11.2-1.1.s390x",
          "openSUSE Tumbleweed:golang-github-prometheus-prometheus-3.11.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-40179",
          "url": "https://www.suse.com/security/cve/CVE-2026-40179"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1262222 for CVE-2026-40179",
          "url": "https://bugzilla.suse.com/1262222"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:golang-github-prometheus-prometheus-3.11.2-1.1.aarch64",
            "openSUSE Tumbleweed:golang-github-prometheus-prometheus-3.11.2-1.1.ppc64le",
            "openSUSE Tumbleweed:golang-github-prometheus-prometheus-3.11.2-1.1.s390x",
            "openSUSE Tumbleweed:golang-github-prometheus-prometheus-3.11.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:golang-github-prometheus-prometheus-3.11.2-1.1.aarch64",
            "openSUSE Tumbleweed:golang-github-prometheus-prometheus-3.11.2-1.1.ppc64le",
            "openSUSE Tumbleweed:golang-github-prometheus-prometheus-3.11.2-1.1.s390x",
            "openSUSE Tumbleweed:golang-github-prometheus-prometheus-3.11.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-23T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-40179"
    }
  ]
}

CVE-2026-40179 (GCVE-0-2026-40179)

Vulnerability from cvelistv5 – Published: 2026-04-15 22:26 – Updated: 2026-04-16 14:21

Title

Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer

Summary

Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without escaping. In both the Mantine UI and old React UI, chart tooltips on the Graph page render metric names containing HTML/JavaScript without sanitization. In the old React UI, the Metric Explorer fuzzy search results use dangerouslySetInnerHTML without escaping, and heatmap cell tooltips interpolate le label values without sanitization. With Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like <, >, and " are now valid in metric names and labels. An attacker who can inject metrics via a compromised scrape target, remote write, or OTLP receiver endpoint can execute arbitrary JavaScript in the browser of any Prometheus user who views the metric in the Graph UI, potentially enabling configuration exfiltration, data deletion, or Prometheus shutdown depending on enabled flags. This issue has been fixed in versions 3.5.2 and 3.11.2. If developers are unable to immediately update, the following workarounds are recommended: ensure that the remote write receiver (--web.enable-remote-write-receiver) and the OTLP receiver (--web.enable-otlp-receiver) are not exposed to untrusted sources; verify that all scrape targets are trusted and not under attacker control; avoid enabling admin or mutating API endpoints (e.g., --web.enable-admin-api or --web.enable-lifecycle) in environments where untrusted data may be ingested; and refrain from clicking untrusted links, particularly those containing functions such as label_replace, as they may generate poisoned label names and values.

Severity

5.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/prometheus/prometheus/security…	x_refsource_CONFIRM
https://github.com/prometheus/prometheus/pull/18506	x_refsource_MISC
https://github.com/prometheus/prometheus/commit/0…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
prometheus	prometheus	Affected: >= 3.0.0, < 3.5.2 Affected: >= 3.6.0, < 3.11.2 Affected: < 0.311.2-0.20260410083055-07c6232d159b

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40179",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-16T14:21:31.807163Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-16T14:21:42.130Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "prometheus",
          "vendor": "prometheus",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.5.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.6.0, \u003c 3.11.2"
            },
            {
              "status": "affected",
              "version": "\u003c 0.311.2-0.20260410083055-07c6232d159b"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without escaping. In both the Mantine UI and old React UI, chart tooltips on the Graph page render metric names containing HTML/JavaScript without sanitization. In the old React UI, the Metric Explorer fuzzy search results use dangerouslySetInnerHTML without escaping, and heatmap cell tooltips interpolate le label values without sanitization. With Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like \u003c, \u003e, and \" are now valid in metric names and labels. An attacker who can inject metrics via a compromised scrape target, remote write, or OTLP receiver endpoint can execute arbitrary JavaScript in the browser of any Prometheus user who views the metric in the Graph UI, potentially enabling configuration exfiltration, data deletion, or Prometheus shutdown depending on enabled flags. This issue has been fixed in versions 3.5.2 and 3.11.2. If developers are unable to immediately update, the following workarounds are recommended: ensure that the remote write receiver (--web.enable-remote-write-receiver) and the OTLP receiver (--web.enable-otlp-receiver) are not exposed to untrusted sources; verify that all scrape targets are trusted and not under attacker control; avoid enabling admin or mutating API endpoints (e.g., --web.enable-admin-api or --web.enable-lifecycle) in environments where untrusted data may be ingested; and refrain from clicking untrusted links, particularly those containing functions such as label_replace, as they may generate poisoned label names and values."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-15T22:26:46.909Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99"
        },
        {
          "name": "https://github.com/prometheus/prometheus/pull/18506",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/prometheus/prometheus/pull/18506"
        },
        {
          "name": "https://github.com/prometheus/prometheus/commit/07c6232d159bfb474a077788be184d87adcfac3c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/prometheus/prometheus/commit/07c6232d159bfb474a077788be184d87adcfac3c"
        }
      ],
      "source": {
        "advisory": "GHSA-vffh-x6r8-xx99",
        "discovery": "UNKNOWN"
      },
      "title": "Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40179",
    "datePublished": "2026-04-15T22:26:46.909Z",
    "dateReserved": "2026-04-09T20:59:17.619Z",
    "dateUpdated": "2026-04-16T14:21:42.130Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

OPENSUSE-SU-2026:10607-1

CVE-2026-40179 (GCVE-0-2026-40179)

Tags

Sightings

Nomenclature