Medium severity6.1GHSA Advisory· Published May 26, 2026· Updated Jun 5, 2026
CVE-2026-44903
CVE-2026-44903
Description
Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI (enabled via the command-line flag --enable-feature=old-ui), the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels. An attacker who can inject crafted metrics can execute JavaScript in the browser of any Prometheus user who views the metric in the heatmap chart UI. This vulnerability is fixed in 3.5.3 and 3.11.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/prometheus/prometheusGo | < 0.311.3 | 0.311.3 |
Affected products
172- Range: < 0.311.3
- osv-coords171 versionspkg:apk/chainguard/agentbeatpkg:apk/chainguard/agentbeat-fipspkg:apk/chainguard/amazon-cloudwatch-agent-operatorpkg:apk/chainguard/amazon-cloudwatch-agent-operator-fipspkg:apk/chainguard/certificate-transparency-fips-trillian-ctserverpkg:apk/chainguard/certificate-transparency-trillian-ctserverpkg:apk/chainguard/cloud-sql-proxy-2.16pkg:apk/chainguard/cloud-sql-proxy-2.17pkg:apk/chainguard/cloud-sql-proxy-2.18pkg:apk/chainguard/cloud-sql-proxy-2.21pkg:apk/chainguard/cloud-sql-proxy-fipspkg:apk/chainguard/cloudzero-collectorpkg:apk/chainguard/cloudzero-collector-fipspkg:apk/chainguard/cloudzero-regurgitatorpkg:apk/chainguard/cloudzero-regurgitator-fipspkg:apk/chainguard/cloudzero-shipperpkg:apk/chainguard/cloudzero-shipper-fipspkg:apk/chainguard/cloudzero-webhookpkg:apk/chainguard/cloudzero-webhook-fipspkg:apk/chainguard/datadog-agent-7.77pkg:apk/chainguard/datadog-agent-7.77-fullpkg:apk/chainguard/datadog-agent-7.78pkg:apk/chainguard/datadog-agent-7.78-fullpkg:apk/chainguard/datadog-agent-fips-7.77pkg:apk/chainguard/datadog-agent-fips-7.77-fullpkg:apk/chainguard/datadog-agent-fips-7.78pkg:apk/chainguard/datadog-agent-fips-7.78-fullpkg:apk/chainguard/datadog-cluster-agent-7.77pkg:apk/chainguard/datadog-cluster-agent-7.78pkg:apk/chainguard/datadog-cluster-agent-fips-7.77pkg:apk/chainguard/datadog-cluster-agent-fips-7.78pkg:apk/chainguard/elastic-agent-8.19pkg:apk/chainguard/elastic-agent-9.2pkg:apk/chainguard/elastic-agent-fips-8.19pkg:apk/chainguard/elastic-otel-collector-9.3pkg:apk/chainguard/elastic-otel-collector-9.4pkg:apk/chainguard/elastic-otel-collector-fips-9.3pkg:apk/chainguard/elastic-otel-collector-fips-9.4pkg:apk/chainguard/fluent-bit-plugin-lokipkg:apk/chainguard/istioctl-1.28pkg:apk/chainguard/istioctl-1.29pkg:apk/chainguard/istio-pilot-discovery-1.28pkg:apk/chainguard/istio-pilot-discovery-1.29pkg:apk/chainguard/istio-pilot-discovery-fips-1.28pkg:apk/chainguard/istio-pilot-discovery-fips-1.29pkg:apk/chainguard/jaeger-2-fips-jaegerpkg:apk/chainguard/jaeger-2-jaegerpkg:apk/chainguard/karmapkg:apk/chainguard/karma-fipspkg:apk/chainguard/keda-2.18pkg:apk/chainguard/keda-2.18-metrics-apiserverpkg:apk/chainguard/keda-2.19pkg:apk/chainguard/keda-2.19-metrics-apiserverpkg:apk/chainguard/keda-fips-2.18pkg:apk/chainguard/keda-fips-2.18-metrics-apiserverpkg:apk/chainguard/keda-fips-2.19pkg:apk/chainguard/keda-fips-2.19-metrics-apiserverpkg:apk/chainguard/ld-relaypkg:apk/chainguard/ld-relay-fipspkg:apk/chainguard/loki-3.6pkg:apk/chainguard/loki-3.6-logclipkg:apk/chainguard/loki-3.6-loki-canarypkg:apk/chainguard/loki-3.6-promtailpkg:apk/chainguard/loki-3.7pkg:apk/chainguard/loki-3.7-logclipkg:apk/chainguard/loki-3.7-loki-canarypkg:apk/chainguard/loki-fips-3.6pkg:apk/chainguard/loki-fips-3.6-logclipkg:apk/chainguard/loki-fips-3.6-loki-canarypkg:apk/chainguard/loki-fips-3.6-promtailpkg:apk/chainguard/loki-fips-3.7pkg:apk/chainguard/loki-fips-3.7-logclipkg:apk/chainguard/loki-fips-3.7-loki-canarypkg:apk/chainguard/mcpkg:apk/chainguard/mc-fipspkg:apk/chainguard/mcp-grafanapkg:apk/chainguard/mcp-grafana-fipspkg:apk/chainguard/metricbeat-9.2pkg:apk/chainguard/metricbeat-9.3pkg:apk/chainguard/metricbeat-9.4pkg:apk/chainguard/metricbeat-fips-8.19pkg:apk/chainguard/metricbeat-fips-9.2pkg:apk/chainguard/metricbeat-fips-9.4pkg:apk/chainguard/metrics-serverpkg:apk/chainguard/miniopkg:apk/chainguard/minio-fipspkg:apk/chainguard/minio-object-browserpkg:apk/chainguard/minio-object-browser-fipspkg:apk/chainguard/minio-operator-fipspkg:apk/chainguard/minio-operator-sidecar-fipspkg:apk/chainguard/node-problem-detector-0.8pkg:apk/chainguard/node-problem-detector-1.35pkg:apk/chainguard/node-problem-detector-fips-0.8pkg:apk/chainguard/nrdot-collector-k8spkg:apk/chainguard/nrdot-collector-k8s-fipspkg:apk/chainguard/opentelemetry-collectorpkg:apk/chainguard/opentelemetry-collector-contribpkg:apk/chainguard/opentelemetry-collector-contrib-fipspkg:apk/chainguard/opentelemetry-collector-fipspkg:apk/chainguard/opentelemetry-operator-fips-otel-allocatorpkg:apk/chainguard/opentelemetry-operator-otel-allocatorpkg:apk/chainguard/ops-agentpkg:apk/chainguard/ops-agent-wrapperpkg:apk/chainguard/prometheus-3.5pkg:apk/chainguard/prometheus-fips-3.5pkg:apk/chainguard/prometheus-pushgatewaypkg:apk/chainguard/prometheus-pushgateway-fipspkg:apk/chainguard/splunk-otel-collectorpkg:apk/chainguard/splunk-otel-collector-fipspkg:apk/chainguard/telegraf-1.38pkg:apk/chainguard/tempo-2.10pkg:apk/chainguard/tempo-2.10-clipkg:apk/chainguard/tempo-2.10-vulturepkg:apk/chainguard/tempo-fips-2.10pkg:apk/chainguard/tempo-fips-2.10-clipkg:apk/chainguard/tempo-fips-2.10-vulturepkg:apk/chainguard/trillian-fips-logserverpkg:apk/chainguard/trillian-fips-logsignerpkg:apk/chainguard/trillian-logserverpkg:apk/chainguard/trillian-logsignerpkg:apk/wolfi/amazon-cloudwatch-agent-operatorpkg:apk/wolfi/certificate-transparency-trillian-ctserverpkg:apk/wolfi/cloud-sql-proxy-2.16pkg:apk/wolfi/cloud-sql-proxy-2.17pkg:apk/wolfi/cloud-sql-proxy-2.18pkg:apk/wolfi/cloud-sql-proxy-2.21pkg:apk/wolfi/datadog-agent-7.77pkg:apk/wolfi/datadog-agent-7.77-fullpkg:apk/wolfi/datadog-agent-7.78pkg:apk/wolfi/datadog-agent-7.78-fullpkg:apk/wolfi/datadog-cluster-agent-7.77pkg:apk/wolfi/datadog-cluster-agent-7.78pkg:apk/wolfi/fluent-bit-plugin-lokipkg:apk/wolfi/istioctl-1.28pkg:apk/wolfi/istioctl-1.29pkg:apk/wolfi/istio-pilot-discovery-1.28pkg:apk/wolfi/istio-pilot-discovery-1.29pkg:apk/wolfi/jaeger-2-jaegerpkg:apk/wolfi/karmapkg:apk/wolfi/keda-2.18pkg:apk/wolfi/keda-2.18-metrics-apiserverpkg:apk/wolfi/keda-2.19pkg:apk/wolfi/keda-2.19-metrics-apiserverpkg:apk/wolfi/loki-3.6pkg:apk/wolfi/loki-3.6-logclipkg:apk/wolfi/loki-3.6-loki-canarypkg:apk/wolfi/loki-3.6-promtailpkg:apk/wolfi/loki-3.7pkg:apk/wolfi/loki-3.7-logclipkg:apk/wolfi/loki-3.7-loki-canarypkg:apk/wolfi/mcpkg:apk/wolfi/mcp-grafanapkg:apk/wolfi/metrics-serverpkg:apk/wolfi/miniopkg:apk/wolfi/minio-object-browserpkg:apk/wolfi/node-problem-detector-0.8pkg:apk/wolfi/node-problem-detector-1.35pkg:apk/wolfi/opentelemetry-collectorpkg:apk/wolfi/opentelemetry-collector-contribpkg:apk/wolfi/opentelemetry-operator-otel-allocatorpkg:apk/wolfi/prometheus-3.5pkg:apk/wolfi/prometheus-pushgatewaypkg:apk/wolfi/splunk-otel-collectorpkg:apk/wolfi/telegraf-1.38pkg:apk/wolfi/tempo-2.10pkg:apk/wolfi/tempo-2.10-clipkg:apk/wolfi/tempo-2.10-vulturepkg:apk/wolfi/trillian-logserverpkg:apk/wolfi/trillian-logsignerpkg:bitnami/prometheuspkg:golang/github.com/prometheus/prometheus
< 9.2.7-r8+ 170 more
- (no CPE)range: < 9.2.7-r8
- (no CPE)range: < 9.2.7-r9
- (no CPE)range: < 3.5.0-r0
- (no CPE)range: < 3.5.0-r0
- (no CPE)range: < 1.3.3-r8
- (no CPE)range: < 1.3.3-r8
- (no CPE)range: < 2.16.0-r20
- (no CPE)range: < 2.17.1-r17
- (no CPE)range: < 2.18.3-r10
- (no CPE)range: < 2.21.3-r1
- (no CPE)range: < 2.21.3-r1
- (no CPE)range: < 1.2.11-r3
- (no CPE)range: < 1.2.11-r1
- (no CPE)range: < 1.2.11-r3
- (no CPE)range: < 1.2.11-r1
- (no CPE)range: < 1.2.11-r3
- (no CPE)range: < 1.2.11-r1
- (no CPE)range: < 1.2.11-r3
- (no CPE)range: < 1.2.11-r1
- (no CPE)range: < 7.77.3-r10
- (no CPE)range: < 7.77.3-r10
- (no CPE)range: < 7.78.4-r3
- (no CPE)range: < 7.78.4-r3
- (no CPE)range: < 7.77.3-r10
- (no CPE)range: < 7.77.3-r10
- (no CPE)range: < 7.78.4-r3
- (no CPE)range: < 7.78.4-r3
- (no CPE)range: < 7.77.3-r10
- (no CPE)range: < 7.78.4-r3
- (no CPE)range: < 7.77.3-r10
- (no CPE)range: < 7.78.4-r3
- (no CPE)range: < 8.19.15-r4
- (no CPE)range: < 9.2.8-r8
- (no CPE)range: < 8.19.16-r0
- (no CPE)range: < 9.3.5-r0
- (no CPE)range: < 9.4.1-r1
- (no CPE)range: < 9.3.4-r3
- (no CPE)range: < 9.4.1-r1
- (no CPE)range: < 3.7.2-r1
- (no CPE)range: < 0
- (no CPE)range: < 1.29.2-r3
- (no CPE)range: < 0
- (no CPE)range: < 1.29.2-r3
- (no CPE)range: < 1.28.6-r4
- (no CPE)range: < 1.29.2-r3
- (no CPE)range: < 2.17.0-r4
- (no CPE)range: < 2.17.0-r7
- (no CPE)range: < 0.129-r2
- (no CPE)range: < 0.129-r3
- (no CPE)range: < 2.18.3-r11
- (no CPE)range: < 2.18.3-r11
- (no CPE)range: < 2.19.0-r15
- (no CPE)range: < 2.19.0-r15
- (no CPE)range: < 2.18.3-r11
- (no CPE)range: < 2.18.3-r11
- (no CPE)range: < 2.19.0-r10
- (no CPE)range: < 2.19.0-r10
- (no CPE)range: < 8.19.1-r1
- (no CPE)range: < 8.19.1-r1
- (no CPE)range: < 3.6.12-r0
- (no CPE)range: < 3.6.12-r0
- (no CPE)range: < 3.6.12-r0
- (no CPE)range: < 3.6.12-r0
- (no CPE)range: < 3.7.2-r1
- (no CPE)range: < 3.7.2-r1
- (no CPE)range: < 3.7.2-r1
- (no CPE)range: < 3.6.11-r2
- (no CPE)range: < 3.6.11-r2
- (no CPE)range: < 3.6.11-r2
- (no CPE)range: < 3.6.11-r2
- (no CPE)range: < 3.7.2-r1
- (no CPE)range: < 3.7.2-r1
- (no CPE)range: < 3.7.2-r1
- (no CPE)range: < 0.20250813.083541-r11
- (no CPE)range: < 0.20250813.083541-r12
- (no CPE)range: < 0.13.1-r1
- (no CPE)range: < 0.13.1-r1
- (no CPE)range: < 9.2.8-r7
- (no CPE)range: < 9.3.6-r2
- (no CPE)range: < 9.4.1-r4
- (no CPE)range: < 8.19.15-r5
- (no CPE)range: < 9.2.8-r9
- (no CPE)range: < 9.4.1-r1
- (no CPE)range: < 0.8.1-r8
- (no CPE)range: < 0.20260512.133534-r0
- (no CPE)range: < 0.20260512.133534-r0
- (no CPE)range: < 2.0.4-r14
- (no CPE)range: < 2.0.4-r13
- (no CPE)range: < 7.1.1-r18
- (no CPE)range: < 7.1.1-r18
- (no CPE)range: < 0.8.25-r5
- (no CPE)range: < 1.35.2-r12
- (no CPE)range: < 0.8.25-r7
- (no CPE)range: < 1.12.0-r4
- (no CPE)range: < 1.12.0-r4
- (no CPE)range: < 0.152.1-r0
- (no CPE)range: < 0.152.0-r0
- (no CPE)range: < 0.152.0-r0
- (no CPE)range: < 0.152.0-r0
- (no CPE)range: < 0.151.0-r0
- (no CPE)range: < 0.150.0-r1
- (no CPE)range: < 2.67.0-r0
- (no CPE)range: < 2.67.0-r0
- (no CPE)range: < 3.5.3-r1
- (no CPE)range: < 3.5.3-r3
- (no CPE)range: < 1.11.2-r10
- (no CPE)range: < 1.11.2-r10
- (no CPE)range: < 0.152.0-r0
- (no CPE)range: < 0.152.0-r0
- (no CPE)range: < 1.38.3-r3
- (no CPE)range: < 2.10.6-r0
- (no CPE)range: < 2.10.6-r0
- (no CPE)range: < 2.10.6-r0
- (no CPE)range: < 2.10.6-r0
- (no CPE)range: < 2.10.6-r0
- (no CPE)range: < 2.10.6-r0
- (no CPE)range: < 1.7.3-r4
- (no CPE)range: < 1.7.3-r4
- (no CPE)range: < 1.7.3-r5
- (no CPE)range: < 1.7.3-r5
- (no CPE)range: < 3.5.0-r0
- (no CPE)range: < 1.3.3-r8
- (no CPE)range: < 2.16.0-r20
- (no CPE)range: < 2.17.1-r17
- (no CPE)range: < 2.18.3-r10
- (no CPE)range: < 2.21.3-r1
- (no CPE)range: < 7.77.3-r10
- (no CPE)range: < 7.77.3-r10
- (no CPE)range: < 7.78.4-r3
- (no CPE)range: < 7.78.4-r3
- (no CPE)range: < 7.77.3-r10
- (no CPE)range: < 7.78.4-r3
- (no CPE)range: < 3.7.2-r1
- (no CPE)range: < 0
- (no CPE)range: < 1.29.2-r3
- (no CPE)range: < 0
- (no CPE)range: < 1.29.2-r3
- (no CPE)range: < 2.17.0-r7
- (no CPE)range: < 0.129-r2
- (no CPE)range: < 2.18.3-r11
- (no CPE)range: < 2.18.3-r11
- (no CPE)range: < 2.19.0-r15
- (no CPE)range: < 2.19.0-r15
- (no CPE)range: < 3.6.12-r0
- (no CPE)range: < 3.6.12-r0
- (no CPE)range: < 3.6.12-r0
- (no CPE)range: < 3.6.12-r0
- (no CPE)range: < 3.7.2-r1
- (no CPE)range: < 3.7.2-r1
- (no CPE)range: < 3.7.2-r1
- (no CPE)range: < 0.20250813.083541-r11
- (no CPE)range: < 0.13.1-r1
- (no CPE)range: < 0.8.1-r8
- (no CPE)range: < 0.20260512.133534-r0
- (no CPE)range: < 2.0.4-r14
- (no CPE)range: < 0.8.25-r5
- (no CPE)range: < 1.35.2-r12
- (no CPE)range: < 0.152.1-r0
- (no CPE)range: < 0.152.0-r0
- (no CPE)range: < 0.150.0-r1
- (no CPE)range: < 3.5.3-r1
- (no CPE)range: < 1.11.2-r10
- (no CPE)range: < 0.152.0-r0
- (no CPE)range: < 1.38.3-r3
- (no CPE)range: < 2.10.6-r0
- (no CPE)range: < 2.10.6-r0
- (no CPE)range: < 2.10.6-r0
- (no CPE)range: < 1.7.3-r5
- (no CPE)range: < 1.7.3-r5
- (no CPE)range: >= 2.49.0, < 3.5.3
- (no CPE)range: < 0.311.3
Patches
Vulnerability mechanics
References
4- github.com/prometheus/prometheus/commit/38f23b9075ced1de2b82d2dad8b2bebb1ecd5b7dnvdPatchWEB
- github.com/prometheus/prometheus/security/advisories/GHSA-fw8g-cg8f-9j28nvdMitigationPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-fw8g-cg8f-9j28ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-44903ghsaADVISORY
News mentions
0No linked articles in our index yet.