A stored cross-site scripting (XSS) vulnerability exists in Prometheus's legacy web UI when the `--enable-feature=old-ui` flag is enabled. The histogram heatmap chart view fails to escape `le` (less than or equal) label values when rendering them as axis tick mark labels in HTML. An attacker with the ability to inject crafted metrics can execute arbitrary JavaScript in the browser of any Prometheus user w [truncated]
CVE-2026-42151 is a high-severity vulnerability in Prometheus, an open-source monitoring system. The issue arises from the client_secret field in the Azure AD remote write OAuth configuration being typed as a string instead of a Secret. This causes the Azure OAuth client secret to be exposed in plaintext via the /-/config HTTP API endpoint. The vulnerability affects Prometheus versions prior to 3.5.3 and [truncated]