Prometheus v3.11.2 released on 13-04-2026
Prometheus v3.11.2 is out now. It fixes a stored cross-site scripting vulnerability in the web UI that could be triggered by crafted metric names and label values, and adds more precise Consul service-discovery filtering.
See the Prometheus GitHub release notes for full details and installation guidance.
What’s in this release
- Security: UI stored XSS fix — user-provided metric and label text is now properly escaped to prevent script injection (CVE-2026-40179). Credit to Duc Anh Nguyen (TinyxLab) for reporting.
- Enhancement: Consul SD gains a new health_filter field for declarative Health API filtering.
- Bugfix: Corrected handling of the filter parameter for the Consul Health API so configured filters are honoured when discovering targets.
Upgrade notes
- Install the update to address CVE-2026-40179; consult the project’s release notes on GitHub for any platform-specific instructions.
- The release notes do not list breaking changes or deprecations; follow the usual rollback procedures if you encounter unexpected behaviour.
Comments and reports on upgrade experience are welcome — share any issues or observations so others can benefit.
