Prometheus | v3.11.2

Prometheus v3.11.2 released on 13-04-2026


Prometheus v3.11.2 is out now. It fixes a stored cross-site scripting vulnerability in the web UI (CVE-2026-40179) and adds Consul service discovery improvements that reduce client-side filtering work.

Visit the Prometheus GitHub release page for full details, changelog and the linked pull requests.

What’s in this release

  • [SECURITY] UI: Fix stored XSS via unescaped metric names and labels shown in tooltips and the metrics explorer; metric names and labels are now properly escaped to prevent script injection. CVE-2026-40179. Credit: Duc Anh Nguyen (TinyxLab). (PR #18506)
  • [ENHANCEMENT] Consul SD: Introduce a new consul_sd field, health_filter, to pass a filter expression to Consul’s Health API for server-side filtering of health checks and services. (PR #18499)
  • [BUGFIX] Consul SD: Correct application of the filter parameter to Consul’s Health API so intended filtering is applied as expected. (PR #18499)

Upgrade notes

  • Security release — upgrade to v3.11.2 immediately if the web UI is exposed or the instance ingests untrusted metrics; see CVE-2026-40179 and PR #18506 for context.
  • No breaking changes reported; follow your normal upgrade procedure and test in staging before rolling to production.

Share comments on your upgrade experience or any issues you encounter with the new release.

Related posts

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...

restic | v0.19.1

restic v0 19 1: safer FUSE mounts and mountpoint checks, robust backup source and exclude handling, clearer CLI JSON output, Windows SFTP deletion fixes