Source: prometheus Version: 2.53.5+ds1-4 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for prometheus. CVE-2026-44903[0]: | Prometheus is an open-source monitoring system and time series | database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus | server's legacy web UI (enabled via the command-line flag --enable- | feature=old-ui), the histogram heatmap chart view does not escape le | label values when inserting them into the HTML for use as axis tick | mark labels. An attacker who can inject crafted metrics can execute | JavaScript in the browser of any Prometheus user who views the | metric in the heatmap chart UI. This vulnerability is fixed in 3.5.3 | and 3.11.3. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-44903 https://www.cve.org/CVERecord?id=CVE-2026-44903 [1] https://github.com/prometheus/prometheus/security/advisories/GHSA-fw8g-cg8f-9j28 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
