VYPR

Bitnami package

prometheus

pkg:bitnami/prometheus

Vulnerabilities (5)

  • CVE-2026-44903MedMay 26, 2026
    affected >= 2.49.0, < 3.5.3fixed 3.5.3

    Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI (enabled via the command-line flag --enable-feature=old-ui), the histogram heatmap chart view does not escape le label values

  • CVE-2026-42154HigMay 4, 2026
    affected < 3.5.3fixed 3.5.3

    Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated atta

  • CVE-2026-42151HigMay 4, 2026
    affected < 3.5.3fixed 3.5.3

    Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type

  • CVE-2026-40179MedApr 15, 2026
    affected < 0.311.2-0.20260410083055-07c6232d159bfixed 0.311.2-0.20260410083055-07c6232d159b

    Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into inne

  • CVE-2021-29622May 19, 2021
    affected >= 2.23.0, < 2.26.1fixed 2.26.1

    Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL