CVE 9.9 CRITICAL

Hackage package and doc upload stored XSS vulnerability_CVE-2026-40470

April 23, 2026 invoker category_cve

9.9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Description

A critical XSS vulnerability affected hackage-server and
hackage.haskell.org. HTML and JavaScript files provided in source
packages or via the documentation upload facility were served
as-is on the main hackage.haskell.org domain. As a consequence,
when a user with latent HTTP credentials browses to the package
pages or documentation uploaded by a malicious package maintainer,
their session can be hijacked to upload packages or
documentation, amend maintainers or other package metadata, or
perform any other action the user is authorised to do.

AI Analysis

Critical stored XSS vulnerability in hackage-server allowing session hijacking

Basic Information

ID CVE-2026-40470

Source redhat-cnalr

Published Apr 23, 2026 at 14:53

Affected Product

Vendor Haskell

Product hackage-server

Version 0.1

Affected Versions 0.1

CWE Classification

CWE-79

AI Assessment

AI Score 9.9 / 10

AI Severity Critical

Vendor Haskell

Product hackage-server

Version 0.1

References

osv.dev /vulnerability/HSEC-2024-0004

{
    "lastseen": "",
    "description": "A critical XSS vulnerability affected hackage-server and\nhackage.haskell.org.  HTML and JavaScript files provided in source\npackages or via the documentation upload facility were served\nas-is on the main hackage.haskell.org domain.  As a consequence,\nwhen a user with latent HTTP credentials browses to the package\npages or documentation uploaded by a malicious package maintainer,\ntheir session can be hijacked to upload packages or\ndocumentation, amend maintainers or other package metadata, or\nperform any other action the user is authorised to do.",
    "published": "2026-04-23T14:53:47.724Z",
    "modified": "2026-04-23T14:53:47.724Z",
    "type": "cve",
    "title": "Hackage package and doc upload stored XSS vulnerability",
    "source": "redhat-cnalr",
    "references": "https://osv.dev/vulnerability/HSEC-2024-0004",
    "id": "CVE-2026-40470",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "  0.1",
    "sourceHref": "",
    "cvss": {
        "score": 9.9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "hackage-server",
    "version": "0.1",
    "vendor": "Haskell",
    "ai_description": "Critical stored XSS vulnerability in hackage-server allowing session hijacking",
    "ai_severity": "Critical",
    "ai_vendor": "Haskell",
    "ai_product": "hackage-server",
    "ai_version": "0.1",
    "ai_score": 9.9
}

💭 Join the Security Discussion ❌ Cancel Reply