UBUNTU-CVE-2026-44903

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-44903

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44903.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2026-44903

Upstream

CVE-2026-44903

Published

2026-05-26T22:16:00Z

Modified

2026-06-08T09:45:11.390080229Z

Severity

5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI (enabled via the command-line flag --enable-feature=old-ui), the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels. An attacker who can inject crafted metrics can execute JavaScript in the browser of any Prometheus user who views the metric in the heatmap chart UI. This vulnerability is fixed in 3.5.3 and 3.11.3.

References

Affected packages

Ubuntu:16.04:LTS

prometheus

Package

Name: prometheus
Purl: pkg:deb/ubuntu/prometheus?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.14.0+ds-1

0.16.2+ds-1

0.16.2+ds-1ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.16.2+ds-1ubuntu1",
            "binary_name": "prometheus"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44903.json"

Ubuntu:18.04:LTS

prometheus

Package

Name: prometheus
Purl: pkg:deb/ubuntu/prometheus?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.7.1+ds-1

1.8.1+ds-2

2.*

2.1.0+ds-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "prometheus",
            "binary_version": "2.1.0+ds-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44903.json"

Ubuntu:20.04:LTS

prometheus

Package

Name: prometheus
Purl: pkg:deb/ubuntu/prometheus?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.7.1+ds-3

2.15.2+ds-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "prometheus",
            "binary_version": "2.15.2+ds-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44903.json"

Ubuntu:25.10

prometheus

Package

Name: prometheus
Purl: pkg:deb/ubuntu/prometheus?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.53.3+ds1-1

2.53.3+ds1-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-prometheus-prometheus-dev",
            "binary_version": "2.53.3+ds1-2"
        },
        {
            "binary_name": "prometheus",
            "binary_version": "2.53.3+ds1-2"
        },
        {
            "binary_version": "2.53.3+ds1-2",
            "binary_name": "promtool"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44903.json"

Ubuntu:26.04:LTS

prometheus

Package

Name: prometheus
Purl: pkg:deb/ubuntu/prometheus?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.53.3+ds1-2

2.53.5+ds1-2

2.53.5+ds1-3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-prometheus-prometheus-dev",
            "binary_version": "2.53.5+ds1-3"
        },
        {
            "binary_name": "prometheus",
            "binary_version": "2.53.5+ds1-3"
        },
        {
            "binary_name": "promtool",
            "binary_version": "2.53.5+ds1-3"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44903.json"

Ubuntu:Pro:22.04:LTS

prometheus

Package

Name: prometheus
Purl: pkg:deb/ubuntu/prometheus?arch=source&distro=esm-apps%2Fjammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.24.1+ds-1ubuntu1

2.24.1+ds-1ubuntu2

2.31.1+ds2-2

2.31.2+ds1-1

2.31.2+ds1-1ubuntu1

2.31.2+ds1-1ubuntu1.22.04.1

2.31.2+ds1-1ubuntu1.22.04.2

2.31.2+ds1-1ubuntu1.22.04.3

2.31.2+ds1-1ubuntu1.22.04.3+esm1

2.31.2+ds1-1ubuntu1.22.04.3+esm2

2.31.2+ds1-1ubuntu1.22.04.3+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "prometheus",
            "binary_version": "2.31.2+ds1-1ubuntu1.22.04.3+esm3"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44903.json"

Ubuntu:Pro:24.04:LTS

prometheus

Package

Name: prometheus
Purl: pkg:deb/ubuntu/prometheus?arch=source&distro=esm-apps%2Fnoble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.45.0+ds-3build1

2.45.1+ds-1

2.45.1+ds-2

2.45.1+ds-3

2.45.3+ds-2

2.45.3+ds-2build1

2.45.3+ds-2ubuntu0.1

2.45.3+ds-2ubuntu0.2

2.45.3+ds-2ubuntu0.2+esm1

2.45.3+ds-2ubuntu0.2+esm2

2.45.3+ds-2ubuntu0.3

2.45.3+ds-2ubuntu0.3+esm1

2.45.3+ds-2ubuntu0.3+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "prometheus",
            "binary_version": "2.45.3+ds-2ubuntu0.3+esm2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44903.json"