Iiihaiii

**Name of the Vulnerable Software and Affected Versions** Prometheus versions 2.49.0 through 3.5.2 Prometheus versions 3.11.0 through 3.11.2 **Description** In the legacy web UI, which is enabled via the `--enable-feature=old-ui` command-line flag, the histogram heatmap chart view fails to escape label values when inserting them into the HTML for axis tick mark labels. This allows an attacker capable of injecting crafted metrics to execute JavaScript in the browser of any user viewing the metric in the heatmap chart UI. **Recommendations** Update to version 3.5.3. Update to version 3.11.3. As a temporary mitigation, disable the legacy web UI by removing the `--enable-feature=old-ui` flag.

**Name of the Vulnerable Software and Affected Versions** Notesnook Web/Desktop versions prior to 3.3.15 Notesnook iOS/Android versions prior to 3.3.20 **Description** A stored Cross-Site Scripting (XSS) issue exists in the note export flow. The problem occurs because exported note fields, including `title`, `headline`, and `content`, are inserted into the generated HTML template without proper HTML escaping. When a note is exported to PDF, the application renders this HTML into a same-origin, unsandboxed iframe using `iframe.srcdoc`. This allows injected scripts to execute within the Notesnook origin. In the desktop application, this can be escalated to remote code execution (RCE) because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`. **Recommendations** Update Web/Desktop versions to 3.3.15. Update iOS/Android versions to 3.3.20.