CVE-2026-40470 - Vulnerability Details

- Hackage package and doc upload stored XSS vulnerability

Description

A critical XSS vulnerability affected hackage-server and
hackage.haskell.org. HTML and JavaScript files provided in source
packages or via the documentation upload facility were served
as-is on the main hackage.haskell.org domain. As a consequence,
when a user with latent HTTP credentials browses to the package
pages or documentation uploaded by a malicious package maintainer,
their session can be hijacked to upload packages or
documentation, amend maintainers or other package metadata, or
perform any other action the user is authorised to do.

Published: 2026-04-23

Score: 9.9 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A stored cross‑site scripting flaw exists in the Hackage package repository. HTML and JavaScript files that are provided either through source packages or uploaded documentation are served verbatim on the main hackage.haskell.org domain. When a user with authenticated HTTP credentials visits a page containing malicious content, the script executes in the user’s browser, enabling the attacker to hijack the session. This allows the attacker to perform any action that the compromised user is authorized to do, including uploading packages, modifying package metadata, or altering maintainer information. The flaw is a classic CWE‑79 vulnerability.

Affected Systems

The affected products are the hackage-server and the public hackage.haskell.org site. No specific version information is provided in the advisory, so any instance that has not applied the patch is considered vulnerable.

Risk and Exploitability

The CVSS score of 9.9 indicates critical severity. The EPSS score of <1% shows a very low probability of exploitation at the time of the analysis, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a web attack where a malicious package maintainer or attacker who can upload documentation crafts malicious HTML/JavaScript. Once the page is accessed by an authenticated user, the exploit succeeds, allowing privilege escalation within that user’s session.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

unaffected

Version	Status	Constraints
`0.1`	affected	< 0.6

No data.

Vendor Product Confidence Versions

Hackage-server

100%

Version	Status	Scheme	Platform
`—`	affected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor patch to hackage-server to remove the XSS vulnerability.
Disable or filter the execution of raw HTML and JavaScript within uploaded documentation and source packages, ensuring only safe content is stored and served.
Implement a strict Content‑Security‑Policy header that restricts script sources and mitigates the impact of any residual XSS.
Monitor authentication and session logs for suspicious activity that could indicate exploitation of the vulnerability.

Generated by OpenCVE AI on April 28, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00059.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://osv.dev/vulnerability/HSEC-2024-0004

History

Tue, 28 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hackage-server Hackage-server hackage-server
Vendors & Products		Hackage-server Hackage-server hackage-server

Thu, 23 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 23 Apr 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is on the main hackage.haskell.org domain. As a consequence, when a user with latent HTTP credentials browses to the package pages or documentation uploaded by a malicious package maintainer, their session can be hijacked to upload packages or documentation, amend maintainers or other package metadata, or perform any other action the user is authorised to do.
Title		Hackage package and doc upload stored XSS vulnerability
Weaknesses		CWE-79
References		https://osv.dev/vulnerability/HSEC-2024-0004
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}`

Subscriptions

Hackage-server Hackage-server

MITRE

Status: PUBLISHED

Assigner: redhat-cnalr

Published: 2026-04-23T14:53:47.724Z

Updated: 2026-04-23T16:22:27.341Z

Reserved: 2026-04-13T15:23:17.067Z

Link: CVE-2026-40470

Vulnrichment

Updated: 2026-04-23T16:19:49.844Z

NVD

Status : Awaiting Analysis

Published: 2026-04-23T16:16:25.523

Modified: 2026-04-24T14:41:55.890

Link: CVE-2026-40470

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T00:00:13Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object