CVE 9.6 CRITICAL

Hackage CSRF vulnerability_CVE-2026-40471

April 23, 2026 invoker category_cve

9.6 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

Description

hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts).

AI Analysis

Cross-Site Request Forgery (CSRF) vulnerability in hackage-server

Basic Information

ID CVE-2026-40471

Source redhat-cnalr

Published Apr 23, 2026 at 14:56

Modified Apr 23, 2026 at 15:02

Affected Product

Vendor Haskell

Product hackage-server

Version 0.1

Affected Versions 0.1

CWE Classification

CWE-352

AI Assessment

AI Score 9.6 / 10

AI Severity Critical

Vendor Haskell

Product hackage-server

Version 0.1

References

osv.dev /vulnerability/HSEC-2026-0002

{
    "lastseen": "",
    "description": "hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts).",
    "published": "2026-04-23T14:56:34.979Z",
    "modified": "2026-04-23T15:02:45.871Z",
    "type": "cve",
    "title": "Hackage CSRF vulnerability",
    "source": "redhat-cnalr",
    "references": "https://osv.dev/vulnerability/HSEC-2026-0002",
    "id": "CVE-2026-40471",
    "bulletinFamily": "",
    "cwe": [
        "CWE-352"
    ],
    "cvelist": null,
    "sourceData": "  0.1",
    "sourceHref": "",
    "cvss": {
        "score": 9.6,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "hackage-server",
    "version": "0.1",
    "vendor": "Haskell",
    "ai_description": "Cross-Site Request Forgery (CSRF) vulnerability in hackage-server",
    "ai_severity": "Critical",
    "ai_vendor": "Haskell",
    "ai_product": "hackage-server",
    "ai_version": "0.1",
    "ai_score": 9.6
}

💭 Join the Security Discussion ❌ Cancel Reply