CVE-2026-40472 PUBLISHED

Hackage package metadata stored XSS vulnerability

Assigner: redhat-cnalr
Reserved: 13.04.2026 Published: 23.04.2026 Updated: 23.04.2026

In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting (XSS) attacks.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
CVSS Score: 9.9

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Package Collection	https://hackage.haskell.org/package/hackage-server
Package Name	hackage-server
Versions	Default: unaffected affected from 0.1 to * (excl.)

References

https://osv.dev/vulnerability/HSEC-2026-0004

Problem Types

CWE-79 Improper neutralization of input during web page generation ('cross-site scripting') CWE