The Prometheus security policy, including how to report vulnerabilities, can be found here:
Security: prometheus/prometheus
Security
SECURITY.md
-
Stored XSS via crafted histogram bucket label values in the heatmap display of the old Prometheus web UIGHSA-fw8g-cg8f-9j28 published
Apr 27, 2026 by roidelapluieModerate -
Remote read endpoint allows denial of service via crafted snappy payloadGHSA-8rm2-7qqf-34qm published
Apr 27, 2026 by roidelapluieHigh -
Prometheus Azure AD remote write OAuth client secret exposed via config APIGHSA-wg65-39gg-5wfj published
Apr 27, 2026 by roidelapluieHigh -
Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorerGHSA-vffh-x6r8-xx99 published
Apr 13, 2026 by roidelapluieModerate -
Basic authentication bypassGHSA-4v48-4q5m-8vx4 published
Nov 29, 2022 by roidelapluieHigh -
Open Redirect under the /new endpointGHSA-vx57-7f4q-fpc7 published
May 18, 2021 by csmarchbanksModerate
Learn more about advisories related to prometheus/prometheus in the GitHub Advisory Database