MEDIUM
prometheus
CVE published 2026-05-26
CVE-2026-44903
A stored cross-site scripting (XSS) vulnerability exists in Prometheus's legacy web UI when the `--enable-feature=old-ui` flag is enabled. The histogram heatmap chart view fails to escape `le` (less than or equal) label values when rendering them as axis tick mark labels in HTML. An attacker with the ability to inject crafted metrics can execute arbitrary JavaScript in the browser of any Prometheus user w [truncated]