{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40470", "assignerOrgId": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "state": "PUBLISHED", "assignerShortName": "redhat-cnalr", "dateReserved": "2026-04-13T15:23:17.067Z", "datePublished": "2026-04-23T14:53:47.724Z", "dateUpdated": "2026-04-23T16:22:27.341Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "shortName": "redhat-cnalr", "dateUpdated": "2026-04-23T14:53:47.724Z"}, "title": "Hackage package and doc upload stored XSS vulnerability", "datePublic": "2026-01-16T14:18:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "affected": [{"collectionURL": "https://hackage.haskell.org/package/hackage-server", "packageName": "hackage-server", "versions": [{"status": "affected", "version": "0.1", "lessThan": "0.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A critical XSS vulnerability affected hackage-server and\nhackage.haskell.org. HTML and JavaScript files provided in source\npackages or via the documentation upload facility were served\nas-is on the main hackage.haskell.org domain. As a consequence,\nwhen a user with latent HTTP credentials browses to the package\npages or documentation uploaded by a malicious package maintainer,\ntheir session can be hijacked to upload packages or\ndocumentation, amend maintainers or other package metadata, or\nperform any other action the user is authorised to do.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A <strong>critical XSS vulnerability</strong> affected <em>hackage-server</em> and\n<code>hackage.haskell.org</code>. HTML and JavaScript files provided in source\npackages or via the documentation upload facility were served\n<em>as-is</em> on the main <code>hackage.haskell.org</code> domain. As a consequence,\nwhen a user with latent HTTP credentials browses to the package\npages or documentation uploaded by a malicious package maintainer,\ntheir <strong>session can be hijacked</strong> to upload packages or\ndocumentation, amend maintainers or other package metadata, or\nperform any other action the user is authorised to do."}]}], "references": [{"url": "https://osv.dev/vulnerability/HSEC-2024-0004"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseSeverity": "CRITICAL", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L"}}], "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T16:19:40.142224Z", "id": "CVE-2026-40470", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T16:22:27.341Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40470", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-23T16:19:40.142224Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T16:19:49.844Z"}}], "cna": {"title": "Hackage package and doc upload stored XSS vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"versions": [{"status": "affected", "version": "0.1", "lessThan": "0.6", "versionType": "semver"}], "packageName": "hackage-server", "collectionURL": "https://hackage.haskell.org/package/hackage-server", "defaultStatus": "unaffected"}], "datePublic": "2026-01-16T14:18:00.000Z", "references": [{"url": "https://osv.dev/vulnerability/HSEC-2024-0004"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "A critical XSS vulnerability affected hackage-server and\nhackage.haskell.org. HTML and JavaScript files provided in source\npackages or via the documentation upload facility were served\nas-is on the main hackage.haskell.org domain. As a consequence,\nwhen a user with latent HTTP credentials browses to the package\npages or documentation uploaded by a malicious package maintainer,\ntheir session can be hijacked to upload packages or\ndocumentation, amend maintainers or other package metadata, or\nperform any other action the user is authorised to do.", "supportingMedia": [{"type": "text/html", "value": "A <strong>critical XSS vulnerability</strong> affected <em>hackage-server</em> and\n<code>hackage.haskell.org</code>. HTML and JavaScript files provided in source\npackages or via the documentation upload facility were served\n<em>as-is</em> on the main <code>hackage.haskell.org</code> domain. As a consequence,\nwhen a user with latent HTTP credentials browses to the package\npages or documentation uploaded by a malicious package maintainer,\ntheir <strong>session can be hijacked</strong> to upload packages or\ndocumentation, amend maintainers or other package metadata, or\nperform any other action the user is authorised to do.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"}]}], "providerMetadata": {"orgId": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "shortName": "redhat-cnalr", "dateUpdated": "2026-04-23T14:53:47.724Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40470", "state": "PUBLISHED", "dateUpdated": "2026-04-23T16:22:27.341Z", "dateReserved": "2026-04-13T15:23:17.067Z", "assignerOrgId": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "datePublished": "2026-04-23T14:53:47.724Z", "assignerShortName": "redhat-cnalr"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A critical XSS vulnerability affected hackage-server and\nhackage.haskell.org. HTML and JavaScript files provided in source\npackages or via the documentation upload facility were served\nas-is on the main hackage.haskell.org domain. As a consequence,\nwhen a user with latent HTTP credentials browses to the package\npages or documentation uploaded by a malicious package maintainer,\ntheir session can be hijacked to upload packages or\ndocumentation, amend maintainers or other package metadata, or\nperform any other action the user is authorised to do."}], "id": "CVE-2026-40470", "lastModified": "2026-04-24T14:41:55.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "type": "Secondary"}]}, "published": "2026-04-23T16:16:25.523", "references": [{"source": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "url": "https://osv.dev/vulnerability/HSEC-2024-0004"}], "sourceIdentifier": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "hackage-server", "vendor": "hackage-server"}], "analysis": {"en": {"generated_at": "2026-04-28T23:50:27.513776+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch to hackage-server to remove the XSS vulnerability.", "Disable or filter the execution of raw HTML and JavaScript within uploaded documentation and source packages, ensuring only safe content is stored and served.", "Implement a strict Content\u2011Security\u2011Policy header that restricts script sources and mitigates the impact of any residual XSS.", "Monitor authentication and session logs for suspicious activity that could indicate exploitation of the vulnerability."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting leading to session hijack and unauthorized actions"}, "threat_synthesis": {"affected_systems": "The affected products are the hackage-server and the public hackage.haskell.org site. No specific version information is provided in the advisory, so any instance that has not applied the patch is considered vulnerable.", "description_and_impact": "A stored cross\u2011site scripting flaw exists in the Hackage package repository. HTML and JavaScript files that are provided either through source packages or uploaded documentation are served verbatim on the main hackage.haskell.org domain. When a user with authenticated HTTP credentials visits a page containing malicious content, the script executes in the user\u2019s browser, enabling the attacker to hijack the session. This allows the attacker to perform any action that the compromised user is authorized to do, including uploading packages, modifying package metadata, or altering maintainer information. The flaw is a classic CWE\u201179 vulnerability.", "risk_and_exploitability": "The CVSS score of 9.9 indicates critical severity. The EPSS score of <1% shows a very low probability of exploitation at the time of the analysis, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a web attack where a malicious package maintainer or attacker who can upload documentation crafts malicious HTML/JavaScript. Once the page is accessed by an authenticated user, the exploit succeeds, allowing privilege escalation within that user\u2019s session."}}}}, "created": "2026-04-28T09:26:02.284453+00:00", "updated": "2026-04-29T00:00:13.821069+00:00", "vendors": ["hackage-server", "hackage-server$PRODUCT$hackage-server"]}