Skip to content

[GHSA-vffh-x6r8-xx99] Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer#8721

Open
erickdronski wants to merge 1 commit into
erickdronski/advisory-improvement-8721from
erickdronski-GHSA-vffh-x6r8-xx99
Open

[GHSA-vffh-x6r8-xx99] Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer#8721
erickdronski wants to merge 1 commit into
erickdronski/advisory-improvement-8721from
erickdronski-GHSA-vffh-x6r8-xx99

Conversation

@erickdronski

Copy link
Copy Markdown

Updates

  • Affected products
  • CVSS v3
  • References

Comments
Correct the machine-readable Go module ranges to include the Prometheus 3.5.2 LTS backport.

Prometheus's signed v3.5.2 and v3.11.2 releases explicitly identify CVE-2026-40179 as fixed. Prometheus's official module-version script maps server 3.5.2 to module 0.305.2 and server 3.11.2 to module 0.311.2; the corresponding module tags exist and their VERSION files report 3.5.2 and 3.11.2.

This resolves #7537 and prevents the patched v0.305.2 module release from being falsely treated as vulnerable.

Evidence:

@github

github commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Hi there @roidelapluie! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@github-actions github-actions Bot changed the base branch from main to erickdronski/advisory-improvement-8721 July 16, 2026 18:49
@erickdronski

Copy link
Copy Markdown
Author

Curation note: the intended changes in this contribution are the Go module version ranges and the two release references. The removal of the existing CVSS v3 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) is an unintended artifact of the advisory improvement form selecting the existing CVSS v4 value. Please preserve both existing CVSS vectors when applying the version-range correction.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[GHSA-vffh-x6r8-xx99] [CVE-2026-40179] Doesn't show all remediated versions (particularly v3.5.2's go counterpart v0.305.2)

2 participants