Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:apk/alpine/prometheus@3.5.3-r0?arch=armhf&distroversion=v3.23&reponame=community
Typeapk
Namespacealpine
Nameprometheus
Version3.5.3-r0
Qualifiers
arch armhf
distroversion v3.23
reponame community
Subpath
Is_vulnerablefalse
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-5j8b-9c5q-syg6
vulnerability_id VCID-5j8b-9c5q-syg6
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-42151
reference_id
reference_type
scores
0
value 0.0001
scoring_system epss
scoring_elements 0.01256
published_at 2026-05-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-42151
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42151
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42151
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/prometheus/prometheus
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/prometheus/prometheus
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-42151
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-42151
5
reference_url https://github.com/prometheus/prometheus/pull/18587
reference_id 18587
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T19:54:39Z/
url https://github.com/prometheus/prometheus/pull/18587
6
reference_url https://github.com/prometheus/prometheus/pull/18590
reference_id 18590
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T19:54:39Z/
url https://github.com/prometheus/prometheus/pull/18590
7
reference_url https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj
reference_id GHSA-wg65-39gg-5wfj
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T19:54:39Z/
url https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj
8
reference_url https://github.com/prometheus/prometheus/releases/tag/v3.11.3
reference_id v3.11.3
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T19:54:39Z/
url https://github.com/prometheus/prometheus/releases/tag/v3.11.3
9
reference_url https://github.com/prometheus/prometheus/releases/tag/v3.5.3
reference_id v3.5.3
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T19:54:39Z/
url https://github.com/prometheus/prometheus/releases/tag/v3.5.3
fixed_packages
0
url pkg:apk/alpine/prometheus@3.5.3-r0?arch=armhf&distroversion=v3.23&reponame=community
purl pkg:apk/alpine/prometheus@3.5.3-r0?arch=armhf&distroversion=v3.23&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/prometheus@3.5.3-r0%3Farch=armhf&distroversion=v3.23&reponame=community
aliases CVE-2026-42151, GHSA-wg65-39gg-5wfj
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5j8b-9c5q-syg6
1
url VCID-h4am-zzay-w7cg
vulnerability_id VCID-h4am-zzay-w7cg
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-42154
reference_id
reference_type
scores
0
value 0.00021
scoring_system epss
scoring_elements 0.05785
published_at 2026-05-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-42154
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42154
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42154
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/prometheus/prometheus
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/prometheus/prometheus
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-42154
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-42154
5
reference_url https://github.com/prometheus/prometheus/pull/18584
reference_id 18584
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T20:18:48Z/
url https://github.com/prometheus/prometheus/pull/18584
6
reference_url https://github.com/prometheus/prometheus/pull/18585
reference_id 18585
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T20:18:48Z/
url https://github.com/prometheus/prometheus/pull/18585
7
reference_url https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm
reference_id GHSA-8rm2-7qqf-34qm
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T20:18:48Z/
url https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm
8
reference_url https://github.com/prometheus/prometheus/releases/tag/v3.11.3
reference_id v3.11.3
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T20:18:48Z/
url https://github.com/prometheus/prometheus/releases/tag/v3.11.3
9
reference_url https://github.com/prometheus/prometheus/releases/tag/v3.5.3
reference_id v3.5.3
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T20:18:48Z/
url https://github.com/prometheus/prometheus/releases/tag/v3.5.3
fixed_packages
0
url pkg:apk/alpine/prometheus@3.5.3-r0?arch=armhf&distroversion=v3.23&reponame=community
purl pkg:apk/alpine/prometheus@3.5.3-r0?arch=armhf&distroversion=v3.23&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/prometheus@3.5.3-r0%3Farch=armhf&distroversion=v3.23&reponame=community
aliases CVE-2026-42154, GHSA-8rm2-7qqf-34qm
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-h4am-zzay-w7cg
2
url VCID-q9xc-6ugu-53cp
vulnerability_id VCID-q9xc-6ugu-53cp
summary 
Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer
### Impact

Stored cross-site scripting (XSS) via crafted metric names in the Prometheus web UI:

* **Old React UI + New Mantine UI:** When a user hovers over a chart tooltip on the Graph page, metric names containing HTML/JavaScript are injected into `innerHTML` without escaping, causing arbitrary script execution in the user's browser.
* **Old React UI only:** When a user opens the Metric Explorer (globe icon next to the PromQL expression input field), and a metric name containing HTML/JavaScript is rendered in the fuzzy search results, it is injected into `innerHTML` without escaping, causing arbitrary script execution in the user's browser.
* **Old React UI only:** When a user views a heatmap chart and hovers over a cell, the `le` label values of the underlying histogram buckets are interpolated into `innerHTML` without escaping. While `le` is conventionally a numeric bucket boundary, Prometheus does not enforce this — arbitrary UTF-8 strings are accepted as label values, allowing script injection via a crafted scrape target or remote write.

With Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like `<`, `>`, and `"` are now valid in metric names and labels, making this exploitable.

An attacker who can inject metrics (via a compromised scrape target, remote write, or OTLP receiver endpoint) can execute JavaScript in the browser of any Prometheus user who views the metric in the Graph UI. From the XSS context, an attacker could for example:

- Read `/api/v1/status/config` to extract sensitive configuration (although credentials / secrets are redacted by the server)
- Call `/-/quit` to shut down Prometheus (only if `--web.enable-lifecycle` is set)
- Call `/api/v1/admin/tsdb/delete_series` to delete data (only if `--web.enable-admin-api` is set)
- Exfiltrate metric data to an external server

Both the new Mantine UI and the old React UI are affected. The vulnerable code paths are:

- `web/ui/mantine-ui/src/pages/query/uPlotChartHelpers.ts` — tooltip `innerHTML` with unescaped `labels.__name__`
- `web/ui/react-app/src/pages/graph/GraphHelpers.ts` — tooltip content with unescaped `labels.__name__`
- `web/ui/react-app/src/pages/graph/MetricsExplorer.tsx` — fuzzy search results rendered via `dangerouslySetInnerHTML` without sanitization
- `web/ui/react-app/src/vendor/flot/jquery.flot.heatmap.js` — heatmap tooltip with unescaped label values

### Patches

A patch has been published in Prometheus 3.5.2 LTS and Prometheus 3.11.2. The fix applies `escapeHTML()` to all user-controlled values (metric names and label values) before inserting them into `innerHTML`. This advisory will be updated with the patched version once released.

### Workarounds

- If using the remote write receiver (`--web.enable-remote-write-receiver`), ensure it is not exposed to untrusted sources.
- If using the OTLP receiver (`--web.enable-otlp-receiver`), ensure it is not exposed to untrusted sources.
- Ensure scrape targets are trusted and not under attacker control.
- Do not enable admin / mutating API endpoints (e.g. `--web.enable-admin-api` or `web.enable-lifecycle`) in cases where you cannot prevent untrusted data from being ingested.
- Users should avoid clicking untrusted links, especially those containing functions such as label_replace, as they may generate poisoned label names and values.

### Acknowledgements

Thanks to @gladiator9797 (Duc Anh Nguyen from TinyxLab) for reporting this.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40179
reference_id
reference_type
scores
0
value 0.00011
scoring_system epss
scoring_elements 0.01538
published_at 2026-04-26T12:55:00Z
1
value 0.00011
scoring_system epss
scoring_elements 0.0154
published_at 2026-04-24T12:55:00Z
2
value 0.00011
scoring_system epss
scoring_elements 0.01535
published_at 2026-05-05T12:55:00Z
3
value 0.00011
scoring_system epss
scoring_elements 0.01548
published_at 2026-04-29T12:55:00Z
4
value 0.00015
scoring_system epss
scoring_elements 0.02755
published_at 2026-04-18T12:55:00Z
5
value 0.00015
scoring_system epss
scoring_elements 0.02744
published_at 2026-04-16T12:55:00Z
6
value 0.00019
scoring_system epss
scoring_elements 0.05104
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40179
1
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2
reference_url https://github.com/prometheus/prometheus
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/prometheus/prometheus
3
reference_url https://github.com/prometheus/prometheus/commit/07c6232d159bfb474a077788be184d87adcfac3c
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T14:21:31Z/
url https://github.com/prometheus/prometheus/commit/07c6232d159bfb474a077788be184d87adcfac3c
4
reference_url https://github.com/prometheus/prometheus/pull/18506
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T14:21:31Z/
url https://github.com/prometheus/prometheus/pull/18506
5
reference_url https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T14:21:31Z/
url https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40179
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40179
fixed_packages
0
url pkg:apk/alpine/prometheus@3.5.3-r0?arch=armhf&distroversion=v3.23&reponame=community
purl pkg:apk/alpine/prometheus@3.5.3-r0?arch=armhf&distroversion=v3.23&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/prometheus@3.5.3-r0%3Farch=armhf&distroversion=v3.23&reponame=community
aliases CVE-2026-40179, GHSA-vffh-x6r8-xx99
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q9xc-6ugu-53cp
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:apk/alpine/prometheus@3.5.3-r0%3Farch=armhf&distroversion=v3.23&reponame=community