Package Instance

HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "url": "http://public2.vulnerablecode.io/api/packages/1088427?format=api",
    "purl": "pkg:apk/alpine/prometheus@3.5.3-r0?arch=loongarch64&distroversion=v3.23&reponame=community",
    "type": "apk",
    "namespace": "alpine",
    "name": "prometheus",
    "version": "3.5.3-r0",
    "qualifiers": {
        "arch": "loongarch64",
        "distroversion": "v3.23",
        "reponame": "community"
    },
    "subpath": "",
    "is_vulnerable": false,
    "next_non_vulnerable_version": null,
    "latest_non_vulnerable_version": null,
    "affected_by_vulnerabilities": [],
    "fixing_vulnerabilities": [
        {
            "url": "http://public2.vulnerablecode.io/api/vulnerabilities/355401?format=api",
            "vulnerability_id": "VCID-5j8b-9c5q-syg6",
            "summary": "",
            "references": [
                {
                    "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42151",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "0.0001",
                            "scoring_system": "epss",
                            "scoring_elements": "0.01256",
                            "published_at": "2026-05-05T12:55:00Z"
                        }
                    ],
                    "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42151"
                },
                {
                    "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42151",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42151"
                },
                {
                    "reference_url": "https://github.com/prometheus/prometheus/pull/18587",
                    "reference_id": "18587",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T19:54:39Z/"
                        }
                    ],
                    "url": "https://github.com/prometheus/prometheus/pull/18587"
                },
                {
                    "reference_url": "https://github.com/prometheus/prometheus/pull/18590",
                    "reference_id": "18590",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T19:54:39Z/"
                        }
                    ],
                    "url": "https://github.com/prometheus/prometheus/pull/18590"
                },
                {
                    "reference_url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj",
                    "reference_id": "GHSA-wg65-39gg-5wfj",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T19:54:39Z/"
                        }
                    ],
                    "url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj"
                },
                {
                    "reference_url": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3",
                    "reference_id": "v3.11.3",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T19:54:39Z/"
                        }
                    ],
                    "url": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3"
                },
                {
                    "reference_url": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3",
                    "reference_id": "v3.5.3",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T19:54:39Z/"
                        }
                    ],
                    "url": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3"
                }
            ],
            "fixed_packages": [
                {
                    "url": "http://public2.vulnerablecode.io/api/packages/1088427?format=api",
                    "purl": "pkg:apk/alpine/prometheus@3.5.3-r0?arch=loongarch64&distroversion=v3.23&reponame=community",
                    "is_vulnerable": false,
                    "affected_by_vulnerabilities": [],
                    "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/prometheus@3.5.3-r0%3Farch=loongarch64&distroversion=v3.23&reponame=community"
                }
            ],
            "aliases": [
                "CVE-2026-42151"
            ],
            "risk_score": null,
            "exploitability": null,
            "weighted_severity": null,
            "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5j8b-9c5q-syg6"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/vulnerabilities/355400?format=api",
            "vulnerability_id": "VCID-h4am-zzay-w7cg",
            "summary": "",
            "references": [
                {
                    "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42154",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "0.00021",
                            "scoring_system": "epss",
                            "scoring_elements": "0.05785",
                            "published_at": "2026-05-05T12:55:00Z"
                        }
                    ],
                    "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42154"
                },
                {
                    "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42154",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [],
                    "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42154"
                },
                {
                    "reference_url": "https://github.com/prometheus/prometheus/pull/18584",
                    "reference_id": "18584",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T20:18:48Z/"
                        }
                    ],
                    "url": "https://github.com/prometheus/prometheus/pull/18584"
                },
                {
                    "reference_url": "https://github.com/prometheus/prometheus/pull/18585",
                    "reference_id": "18585",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T20:18:48Z/"
                        }
                    ],
                    "url": "https://github.com/prometheus/prometheus/pull/18585"
                },
                {
                    "reference_url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm",
                    "reference_id": "GHSA-8rm2-7qqf-34qm",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T20:18:48Z/"
                        }
                    ],
                    "url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm"
                },
                {
                    "reference_url": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3",
                    "reference_id": "v3.11.3",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T20:18:48Z/"
                        }
                    ],
                    "url": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3"
                },
                {
                    "reference_url": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3",
                    "reference_id": "v3.5.3",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T20:18:48Z/"
                        }
                    ],
                    "url": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3"
                }
            ],
            "fixed_packages": [
                {
                    "url": "http://public2.vulnerablecode.io/api/packages/1088427?format=api",
                    "purl": "pkg:apk/alpine/prometheus@3.5.3-r0?arch=loongarch64&distroversion=v3.23&reponame=community",
                    "is_vulnerable": false,
                    "affected_by_vulnerabilities": [],
                    "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/prometheus@3.5.3-r0%3Farch=loongarch64&distroversion=v3.23&reponame=community"
                }
            ],
            "aliases": [
                "CVE-2026-42154"
            ],
            "risk_score": null,
            "exploitability": null,
            "weighted_severity": null,
            "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h4am-zzay-w7cg"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/vulnerabilities/352065?format=api",
            "vulnerability_id": "VCID-q9xc-6ugu-53cp",
            "summary": "Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer\n### Impact\n\nStored cross-site scripting (XSS) via crafted metric names in the Prometheus web UI:\n\n* **Old React UI + New Mantine UI:** When a user hovers over a chart tooltip on the Graph page, metric names containing HTML/JavaScript are injected into `innerHTML` without escaping, causing arbitrary script execution in the user's browser.\n* **Old React UI only:** When a user opens the Metric Explorer (globe icon next to the PromQL expression input field), and a metric name containing HTML/JavaScript is rendered in the fuzzy search results, it is injected into `innerHTML` without escaping, causing arbitrary script execution in the user's browser.\n* **Old React UI only:** When a user views a heatmap chart and hovers over a cell, the `le` label values of the underlying histogram buckets are interpolated into `innerHTML` without escaping. While `le` is conventionally a numeric bucket boundary, Prometheus does not enforce this — arbitrary UTF-8 strings are accepted as label values, allowing script injection via a crafted scrape target or remote write.\n\nWith Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like `<`, `>`, and `\"` are now valid in metric names and labels, making this exploitable.\n\nAn attacker who can inject metrics (via a compromised scrape target, remote write, or OTLP receiver endpoint) can execute JavaScript in the browser of any Prometheus user who views the metric in the Graph UI. From the XSS context, an attacker could for example:\n\n- Read `/api/v1/status/config` to extract sensitive configuration (although credentials / secrets are redacted by the server)\n- Call `/-/quit` to shut down Prometheus (only if `--web.enable-lifecycle` is set)\n- Call `/api/v1/admin/tsdb/delete_series` to delete data (only if `--web.enable-admin-api` is set)\n- Exfiltrate metric data to an external server\n\nBoth the new Mantine UI and the old React UI are affected. The vulnerable code paths are:\n\n- `web/ui/mantine-ui/src/pages/query/uPlotChartHelpers.ts` — tooltip `innerHTML` with unescaped `labels.__name__`\n- `web/ui/react-app/src/pages/graph/GraphHelpers.ts` — tooltip content with unescaped `labels.__name__`\n- `web/ui/react-app/src/pages/graph/MetricsExplorer.tsx` — fuzzy search results rendered via `dangerouslySetInnerHTML` without sanitization\n- `web/ui/react-app/src/vendor/flot/jquery.flot.heatmap.js` — heatmap tooltip with unescaped label values\n\n### Patches\n\nA patch has been published in Prometheus 3.5.2 LTS and Prometheus 3.11.2. The fix applies `escapeHTML()` to all user-controlled values (metric names and label values) before inserting them into `innerHTML`. This advisory will be updated with the patched version once released.\n\n### Workarounds\n\n- If using the remote write receiver (`--web.enable-remote-write-receiver`), ensure it is not exposed to untrusted sources.\n- If using the OTLP receiver (`--web.enable-otlp-receiver`), ensure it is not exposed to untrusted sources.\n- Ensure scrape targets are trusted and not under attacker control.\n- Do not enable admin / mutating API endpoints (e.g. `--web.enable-admin-api` or `web.enable-lifecycle`) in cases where you cannot prevent untrusted data from being ingested.\n- Users should avoid clicking untrusted links, especially those containing functions such as label_replace, as they may generate poisoned label names and values.\n\n### Acknowledgements\n\nThanks to @gladiator9797 (Duc Anh Nguyen from TinyxLab) for reporting this.",
            "references": [
                {
                    "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40179",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "0.00011",
                            "scoring_system": "epss",
                            "scoring_elements": "0.01538",
                            "published_at": "2026-04-26T12:55:00Z"
                        },
                        {
                            "value": "0.00011",
                            "scoring_system": "epss",
                            "scoring_elements": "0.01535",
                            "published_at": "2026-05-05T12:55:00Z"
                        },
                        {
                            "value": "0.00011",
                            "scoring_system": "epss",
                            "scoring_elements": "0.01548",
                            "published_at": "2026-04-29T12:55:00Z"
                        },
                        {
                            "value": "0.00011",
                            "scoring_system": "epss",
                            "scoring_elements": "0.0154",
                            "published_at": "2026-04-24T12:55:00Z"
                        },
                        {
                            "value": "0.00015",
                            "scoring_system": "epss",
                            "scoring_elements": "0.02755",
                            "published_at": "2026-04-18T12:55:00Z"
                        },
                        {
                            "value": "0.00015",
                            "scoring_system": "epss",
                            "scoring_elements": "0.02744",
                            "published_at": "2026-04-16T12:55:00Z"
                        },
                        {
                            "value": "0.00019",
                            "scoring_system": "epss",
                            "scoring_elements": "0.05104",
                            "published_at": "2026-04-21T12:55:00Z"
                        }
                    ],
                    "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40179"
                },
                {
                    "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "5.4",
                            "scoring_system": "cvssv3.1",
                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
                        }
                    ],
                    "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"
                },
                {
                    "reference_url": "https://github.com/prometheus/prometheus",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "5.3",
                            "scoring_system": "cvssv4",
                            "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
                        },
                        {
                            "value": "MODERATE",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        }
                    ],
                    "url": "https://github.com/prometheus/prometheus"
                },
                {
                    "reference_url": "https://github.com/prometheus/prometheus/commit/07c6232d159bfb474a077788be184d87adcfac3c",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "5.3",
                            "scoring_system": "cvssv4",
                            "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
                        },
                        {
                            "value": "MODERATE",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T14:21:31Z/"
                        }
                    ],
                    "url": "https://github.com/prometheus/prometheus/commit/07c6232d159bfb474a077788be184d87adcfac3c"
                },
                {
                    "reference_url": "https://github.com/prometheus/prometheus/pull/18506",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "5.3",
                            "scoring_system": "cvssv4",
                            "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
                        },
                        {
                            "value": "MODERATE",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T14:21:31Z/"
                        }
                    ],
                    "url": "https://github.com/prometheus/prometheus/pull/18506"
                },
                {
                    "reference_url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "5.3",
                            "scoring_system": "cvssv4",
                            "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
                        },
                        {
                            "value": "MODERATE",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        },
                        {
                            "value": "Track",
                            "scoring_system": "ssvc",
                            "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T14:21:31Z/"
                        }
                    ],
                    "url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99"
                },
                {
                    "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40179",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "5.3",
                            "scoring_system": "cvssv4",
                            "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
                        },
                        {
                            "value": "MODERATE",
                            "scoring_system": "generic_textual",
                            "scoring_elements": ""
                        }
                    ],
                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40179"
                }
            ],
            "fixed_packages": [
                {
                    "url": "http://public2.vulnerablecode.io/api/packages/1088427?format=api",
                    "purl": "pkg:apk/alpine/prometheus@3.5.3-r0?arch=loongarch64&distroversion=v3.23&reponame=community",
                    "is_vulnerable": false,
                    "affected_by_vulnerabilities": [],
                    "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/prometheus@3.5.3-r0%3Farch=loongarch64&distroversion=v3.23&reponame=community"
                }
            ],
            "aliases": [
                "CVE-2026-40179",
                "GHSA-vffh-x6r8-xx99"
            ],
            "risk_score": null,
            "exploitability": null,
            "weighted_severity": null,
            "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q9xc-6ugu-53cp"
        }
    ],
    "risk_score": null,
    "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/prometheus@3.5.3-r0%3Farch=loongarch64&distroversion=v3.23&reponame=community"
}