CVE-2026-40470 — CRITICAL (9.9)

Vulnerability Description

A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is on the main hackage.haskell.org domain. As a consequence, when a user with latent HTTP credentials browses to the package pages or documentation uploaded by a malicious package maintainer, their session can be hijacked to upload packages or documentation, amend maintainers or other package metadata, or perform any other action the user is authorised to do.

CVSS Score

9.9

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

LOW

Related Weaknesses (CWE)

CWE-79

References

https://osv.dev/vulnerability/HSEC-2024-0004

FAQ

What is CVE-2026-40470?

CVE-2026-40470 is a vulnerability with a CVSS score of 9.9 (CRITICAL). A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is on the m...

How severe is CVE-2026-40470?

CVE-2026-40470 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-40470?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.