hackage‑server renders user‑controlled metadata from .cabal files into HTML href attributes without proper sanitization. This flaw permits a stored Cross‑Site Scripting (XSS) vulnerability, where an attacker can embed malicious scripts that execute in the browsers of any users viewing the affected package page. The CVSS score of 9.9 signals that the weakness is both severe and far‑reaching, potentially enabling credential theft, session hijacking, or arbitrary code execution within the victim’s browser context. The description does not detail downstream impacts beyond the XSS capability, but the high severity indicates that the vulnerability is a critical threat to confidentiality, integrity, and availability of the service.

This vulnerability pertains to the open‑source hackage‑server software used for hosting Haskell packages. No specific vendor or product name is listed beyond the hackage‑server project, and version information has not been supplied in the current advisory. Users should therefore evaluate all locally installed instances of hackage‑server against the latest available release.

The EPSS score of less than 1 % suggests that, at the time of analysis, the exploitation probability is low, and the vulnerability is not yet catalogued by CISA as a known exploited vulnerability. Still, the attack vector is straightforward: an attacker submits a malicious .cabal file containing crafted link tags that are rendered directly into the HTML output. As the stored payload remains on the server, every subsequent visitor to the affected page becomes a target, making this a persistent flaw. With a high CVSS score and lack of mitigation status, the risk to any organisation running hackage‑server is considerable until the issue is patched or otherwise mitigated.