Cross-Site Scripting Vulnerability in Hackage Server
CVE-2026-40472

9.9CRITICAL

Key Information:

Status
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-40472?

In Hackage Server, user-controlled metadata from .cabal files is improperly rendered into HTML href attributes without adequate sanitization. This oversight allows malicious users to inject executable scripts, which can be executed within the context of the user's browser, leading to potential data theft, session hijacking, or other malicious activities. It is crucial for users of Hackage Server to apply necessary patches and updates to mitigate this vulnerability.

References

https://osv.dev/vulnerability/HSEC-2026-0004

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 13, 2026

CVE-2026-40472 Data

JSON