Critical XSS and Code Execution Vulnerabilities in Fedora Prometheus Update

Critical XSS and Code Execution Vulnerabilities in Fedora Prometheus Update

First seen 11 Jul 2026, 23:28 UTC Linuxsecurity 95% similarity 74.0

Article Content

Browse articles
ThreatCluster

On July 2, 2026, Fedora released an update for Prometheus addressing multiple critical vulnerabilities. The update includes fixes for CVE-2026-40186, CVE-2026-44990, CVE-2026-41567, CVE-2026-53606, and CVE-2026-25681. These vulnerabilities allow for various attack vectors, including Cross-Site Scripting (XSS) and arbitrary code execution via malicious container images. The affected systems include Fedora with Prometheus and associated components. Users are urged to update their systems using the 'dnf' package manager. The vulnerabilities were reported by Mikel Olasagasti Uranga and are now patched. The scope of impact is significant, as these flaws could lead to severe security breaches if exploited. The update is critical for maintaining system integrity and security.

Key Points: • Fedora's Prometheus update addresses multiple critical vulnerabilities. • Key CVEs include XSS and arbitrary code execution flaws. • Users must update systems immediately using 'dnf' to mitigate risks.

ThreatCluster AI

Timeline

2026-04-15
CVE-2026-40186 published
A vulnerability in Prometheus allows bypass of HTML sanitizer, leading to XSS risks.
Linuxsecurity
2026-05-22
CVE-2026-25681 published
Arbitrary code execution vulnerability via Cross-Site Scripting in golang.org/x/net/html.
Linuxsecurity
2026-06-05
CVE-2026-41567 published
Arbitrary code execution via malicious container image upload in Moby/Docker Engine.
Linuxsecurity
2026-06-12
CVE-2026-44990 published
Stored XSS vulnerability due to HTML sanitizer bypass in Prometheus.
Linuxsecurity
2026-06-12
CVE-2026-53606 published
XSS vulnerability due to insufficient URI scheme validation in sanitize-html.
Linuxsecurity
2026-07-02
Fedora Prometheus update released
An update was released addressing multiple critical vulnerabilities, urging users to upgrade.
Linuxsecurity

Community

Browse all →