diff --git a/CHANGELOG.md b/CHANGELOG.md
index 14baf6f01d..97cd81d170 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Changelog
 
+## 3.11.2 / 2026-04-13
+
+This release has a fix for a Stored XSS vulnerability that can be triggered via crafted metric names and label values in Prometheus web UI tooltips and metrics explorer. Thanks to Duc Anh Nguyen from TinyxLab for reporting it.
+
+- [SECURITY] UI: Fix stored XSS via unescaped metric names and labels. CVE-2026-40179. #18506
+- [ENHANCEMENT] Consul SD: Introduce `health_filter` field for Health API filtering. #18499
+- [BUGFIX] Consul SD: Fix filter parameter being incorrectly applied to the Health API. #18499
+
 ## 3.11.1 / 2026-04-07
 
 - [BUGFIX] Tracing: Fix startup failure for OTLP HTTP tracing with `insecure: true`. #18469
diff --git a/VERSION b/VERSION
index 371cfe355d..1e33456831 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-3.11.1
+3.11.2
diff --git a/web/ui/mantine-ui/package.json b/web/ui/mantine-ui/package.json
index 7b2b5acfa9..6af3419aca 100644
--- a/web/ui/mantine-ui/package.json
+++ b/web/ui/mantine-ui/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@prometheus-io/mantine-ui",
   "private": true,
-  "version": "0.311.1",
+  "version": "0.311.2",
   "type": "module",
   "scripts": {
     "start": "vite",
@@ -28,7 +28,7 @@
     "@microsoft/fetch-event-source": "^2.0.1",
     "@nexucis/fuzzy": "^0.5.1",
     "@nexucis/kvsearch": "^0.9.1",
-    "@prometheus-io/codemirror-promql": "0.311.1",
+    "@prometheus-io/codemirror-promql": "0.311.2",
     "@reduxjs/toolkit": "^2.11.2",
     "@tabler/icons-react": "^3.40.0",
     "@tanstack/react-query": "^5.95.2",
diff --git a/web/ui/module/codemirror-promql/package.json b/web/ui/module/codemirror-promql/package.json
index fc7de423a3..8f12a5c31e 100644
--- a/web/ui/module/codemirror-promql/package.json
+++ b/web/ui/module/codemirror-promql/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@prometheus-io/codemirror-promql",
-  "version": "0.311.1",
+  "version": "0.311.2",
   "description": "a CodeMirror mode for the PromQL language",
   "types": "dist/esm/index.d.ts",
   "module": "dist/esm/index.js",
@@ -29,7 +29,7 @@
   },
   "homepage": "https://github.com/prometheus/prometheus/blob/main/web/ui/module/codemirror-promql/README.md",
   "dependencies": {
-    "@prometheus-io/lezer-promql": "0.311.1",
+    "@prometheus-io/lezer-promql": "0.311.2",
     "lru-cache": "^11.2.7"
   },
   "devDependencies": {
diff --git a/web/ui/module/lezer-promql/package.json b/web/ui/module/lezer-promql/package.json
index 6b7238522c..23818f2bba 100644
--- a/web/ui/module/lezer-promql/package.json
+++ b/web/ui/module/lezer-promql/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@prometheus-io/lezer-promql",
-  "version": "0.311.1",
+  "version": "0.311.2",
   "description": "lezer-based PromQL grammar",
   "main": "dist/index.cjs",
   "type": "module",
diff --git a/web/ui/package-lock.json b/web/ui/package-lock.json
index 67636d8609..d171bc249f 100644
--- a/web/ui/package-lock.json
+++ b/web/ui/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "prometheus-io",
-  "version": "0.311.1",
+  "version": "0.311.2",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "prometheus-io",
-      "version": "0.311.1",
+      "version": "0.311.2",
       "workspaces": [
         "mantine-ui",
         "module/*"
@@ -24,7 +24,7 @@
     },
     "mantine-ui": {
       "name": "@prometheus-io/mantine-ui",
-      "version": "0.311.1",
+      "version": "0.311.2",
       "dependencies": {
         "@codemirror/autocomplete": "^6.20.1",
         "@codemirror/language": "^6.12.3",
@@ -42,7 +42,7 @@
         "@microsoft/fetch-event-source": "^2.0.1",
         "@nexucis/fuzzy": "^0.5.1",
         "@nexucis/kvsearch": "^0.9.1",
-        "@prometheus-io/codemirror-promql": "0.311.1",
+        "@prometheus-io/codemirror-promql": "0.311.2",
         "@reduxjs/toolkit": "^2.11.2",
         "@tabler/icons-react": "^3.40.0",
         "@tanstack/react-query": "^5.95.2",
@@ -172,10 +172,10 @@
     },
     "module/codemirror-promql": {
       "name": "@prometheus-io/codemirror-promql",
-      "version": "0.311.1",
+      "version": "0.311.2",
       "license": "Apache-2.0",
       "dependencies": {
-        "@prometheus-io/lezer-promql": "0.311.1",
+        "@prometheus-io/lezer-promql": "0.311.2",
         "lru-cache": "^11.2.7"
       },
       "devDependencies": {
@@ -205,7 +205,7 @@
     },
     "module/lezer-promql": {
       "name": "@prometheus-io/lezer-promql",
-      "version": "0.311.1",
+      "version": "0.311.2",
       "license": "Apache-2.0",
       "devDependencies": {
         "@lezer/generator": "^1.8.0",
diff --git a/web/ui/package.json b/web/ui/package.json
index cd2e902c89..cad35c9697 100644
--- a/web/ui/package.json
+++ b/web/ui/package.json
@@ -1,7 +1,7 @@
 {
   "name": "prometheus-io",
   "description": "Monorepo for the Prometheus UI",
-  "version": "0.311.1",
+  "version": "0.311.2",
   "private": true,
   "scripts": {
     "build": "bash build_ui.sh --all",