Affected by GO-2026-5264
and 2 other vulnerabilities
GO-2026-5264: Prometheus: Remote read endpoint allows denial of service via crafted snappy payload in github.com/prometheus/prometheus
GO-2026-5381: Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display in github.com/prometheus/prometheus
GO-2026-5662: Prometheus has Stored XSS via metric names and label values in Prometheus web UI in github.com/prometheus/prometheus