Prometheus 3.5.2 LTS and 3.11.2 are available (CVE-2026-40179)

10 views

Skip to first unread message

roidelapluie

unread,

Apr 13, 2026, 11:36:17 AM (5 days ago) Apr 13

to prometheus-announce

Hello Prometheus community,

Prometheus 3.5.2 LTS and 3.11.2 have been released.

Both releases include a fix for a Stored XSS vulnerability (GHSA-vffh-x6r8-xx99 / CVE-2026-40179) that can be triggered via crafted metric names and label values in the Prometheus web UI tooltips and metrics explorer. We strongly recommend all users upgrade.

We would like to thank Duc Anh Nguyen from TinyxLab for responsibly reporting this issue.

You can find more details details here: https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99

In addition, Prometheus 3.11.2 includes improvements and fixes for the Consul SD: a new health_filter field for Health API filtering, fixing the existing filter parameter being incorrectly applied to the Health API since 3.11.0.

You can find the full changelogs and download the releases at:
https://github.com/prometheus/prometheus/releases/tag/v3.5.2
https://github.com/prometheus/prometheus/releases/tag/v3.11.2

Container images are also available at
https://quay.io/repository/prometheus/prometheus?tab=tags and
https://hub.docker.com/r/prom/prometheus/tags.

Thank you for your contributions and support in making Prometheus a
better tool for monitoring and alerting.

Best regards,

--
Julien Pivotto
@roidelapluie

Reply all

Reply to author

Forward

0 new messages