CVE-2026-40472 - Vulnerability Analysis
CriticalCVSS: 9.9Last Updated: April 23, 2026
hackage-server - Stored XSS
Published: April 23, 2026Updated: April 23, 2026Remote Exploitable
Overview
hackage-server contains a stored XSS caused by user-controlled metadata from .cabal files rendered into HTML href attributes without proper sanitization, letting attackers execute scripts on users, exploit requires crafted metadata.
Severity & Score
Severity: Critical
CVSS Score: 9.9
Impact
Attackers can execute scripts in users' browsers, potentially stealing cookies or performing actions on behalf of users.
Mitigation
Update to the latest version with proper sanitization of metadata in href attributes.
Related Resources
Details
- CVE ID
- CVE-2026-40472
- Severity
- Critical
- CVSS Score
- 9.9
- Type
- stored_xss
- Status
- new
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L