HIGH7.5CVE-2026-42154Prometheus: remote read endpoint allows denial of service via crafted snappy payload from 0, < 3.5.3, >= 3.6.0, < 3.11.3
HIGH7.5CVE-2026-42151Prometheus Azure AD remote write OAuth client secret exposed via config API from 0, < 3.5.3, >= 3.6.0, < 3.11.3
MEDIUM6.1CVE-2026-44903Prometheus: Stored XSS via crafted histogram bucket label values in the heatmap display of the old Prometheus web UI >= 2.49.0, < 3.5.3, >= 3.6.0, < 3.11.3
MEDIUM6.1Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer
from 0, < 0.311.2-0.20260410083055-07c6232d159b, >= 3.0.0, < 3.5.2, >= 3.6.0, < 3.11.2
MEDIUM6.1Arbitrary redirects under /new endpoint
>= 2.23.0, < 2.26.1, >= 2.27.0, < 2.27.1