Cross-Site Scripting Vulnerability in Hackage-Server by Haskell
CVE-2026-40470

9.9CRITICAL

Key Information:

Status
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-40470?

An XSS vulnerability was discovered that affects Hackage-Server and its associated website, hackage.haskell.org. This flaw arises from the insecure serving of HTML and JavaScript files embedded in source packages or uploaded documentation, which allows for manipulation by malicious actors. If users with valid HTTP credentials navigate to these compromised package pages, their active sessions can be hijacked. This potentially enables attackers to perform unauthorized actions, including uploading malicious packages or modifying package metadata, putting user security at high risk.

References

https://osv.dev/vulnerability/HSEC-2024-0004

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 13, 2026

CVE-2026-40470 Data

JSON