CVE-2026-44903

Name of the Vulnerable Software and Affected Versions Prometheus versions 2.49.0 through 3.5.2 Prometheus versions 3.11.0 through 3.11.2

Description In the legacy web UI, which is enabled via the --enable-feature=old-ui command-line flag, the histogram heatmap chart view fails to escape label values when inserting them into the HTML for axis tick mark labels. This allows an attacker capable of injecting crafted metrics to execute JavaScript in the browser of any user viewing the metric in the heatmap chart UI.

Recommendations Update to version 3.5.3. Update to version 3.11.3. As a temporary mitigation, disable the legacy web UI by removing the --enable-feature=old-ui flag.