Cross-Site Scripting Vulnerability in Prometheus Monitoring System
CVE-2026-44903

5.1MEDIUM

Key Information:

Vendor: Prometheus
Status: Prometheus
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-44903?

The Prometheus Monitoring System's legacy web UI is vulnerable due to insufficient escaping of label values in the histogram heatmap chart view. This vulnerability allows attackers to inject malicious JavaScript into the browsers of users viewing affected metrics. Users running Prometheus versions from 2.49.0 to before 3.5.3 and 3.11.3 are at risk, and the issue has been resolved in the latest updates.

Affected Version(s)

prometheus >= 2.49.0, < 3.5.3 < 2.49.0, 3.5.3

prometheus >= 3.6.0-rc.0, < 3.11.3 < 3.6.0-rc.0, 3.11.3

References

https://github.com/prometheus/prometheus/security/advisor...

x_refsource_CONFIRM

https://github.com/prometheus/prometheus/commit/38f23b907...

x_refsource_MISC

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44903 Data

JSON