CVE-2026-40470 - Vulnerability Analysis
CriticalCVSS: 9.9Last Updated: April 23, 2026
hackage-server - Stored XSS
Published: April 23, 2026Updated: April 23, 2026Remote Exploitable
Overview
hackage-server and hackage.haskell.org contain a stored XSS caused by serving HTML and JavaScript files from source packages or documentation upload as-is, letting attackers hijack user sessions and perform authorized actions, exploit requires user to have latent HTTP credentials and visit malicious package pages.
Severity & Score
Severity: Critical
CVSS Score: 9.9
Impact
Attackers can hijack user sessions to upload packages, modify metadata, or perform any authorized user actions.
Mitigation
Update to the latest version of hackage-server that sanitizes served content.
Related Resources
Details
- CVE ID
- CVE-2026-40470
- Severity
- Critical
- CVSS Score
- 9.9
- Type
- stored_xss
- Status
- new
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L