{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40471", "assignerOrgId": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "state": "PUBLISHED", "assignerShortName": "redhat-cnalr", "dateReserved": "2026-04-13T15:23:17.068Z", "datePublished": "2026-04-23T14:56:34.979Z", "dateUpdated": "2026-04-23T16:22:12.118Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://hackage.haskell.org/package/hackage-server", "defaultStatus": "unaffected", "packageName": "hackage-server", "versions": [{"lessThan": "*", "status": "affected", "version": "0.1", "versionType": "semver"}]}], "datePublic": "2026-03-28T19:04:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts)."}], "value": "hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site request forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "shortName": "redhat-cnalr", "dateUpdated": "2026-04-23T15:02:45.871Z"}, "references": [{"url": "https://osv.dev/vulnerability/HSEC-2026-0002"}], "title": "Hackage CSRF vulnerability", "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T16:18:53.266261Z", "id": "CVE-2026-40471", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T16:22:12.118Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40471", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-23T16:18:53.266261Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T16:19:14.233Z"}}], "cna": {"title": "Hackage CSRF vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"versions": [{"status": "affected", "version": "0.1", "lessThan": "*", "versionType": "semver"}], "packageName": "hackage-server", "collectionURL": "https://hackage.haskell.org/package/hackage-server", "defaultStatus": "unaffected"}], "datePublic": "2026-03-28T19:04:00.000Z", "references": [{"url": "https://osv.dev/vulnerability/HSEC-2026-0002"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts).", "supportingMedia": [{"type": "text/html", "value": "hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts).", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site request forgery (CSRF)"}]}], "providerMetadata": {"orgId": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "shortName": "redhat-cnalr", "dateUpdated": "2026-04-23T15:02:45.871Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40471", "state": "PUBLISHED", "dateUpdated": "2026-04-23T16:22:12.118Z", "dateReserved": "2026-04-13T15:23:17.068Z", "assignerOrgId": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "datePublished": "2026-04-23T14:56:34.979Z", "assignerShortName": "redhat-cnalr"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts)."}], "id": "CVE-2026-40471", "lastModified": "2026-04-24T14:41:55.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "type": "Secondary"}]}, "published": "2026-04-23T16:16:25.640", "references": [{"source": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "url": "https://osv.dev/vulnerability/HSEC-2026-0002"}], "sourceIdentifier": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "hackage-server", "vendor": "hackage-server"}], "analysis": {"en": {"generated_at": "2026-04-28T23:50:04.799054+00:00", "value": {"mitigation_remediation": ["Apply any available hackage\u2011server patch or upgrade to the latest release that includes CSRF protection", "If an upgrade is not yet available, restrict administrative endpoints to authenticated and authenticated+CSRF\u2011token validated requests; configure the server to require a custom header or token for those actions", "Block or filter cross\u2011origin requests to administrative endpoints using a web\u2011application firewall or reverse\u2011proxy that inspects the Referer and Origin headers", "Enable two\u2011factor authentication for all administrative users to mitigate credential abuse", "Monitor logs for repeated account creation or suspicious package uploads that may indicate a CSRF exploitation attempt"], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "The target product is hackage\u2011server; no specific version range is listed in the advisory, so all installations of hackage\u2011server are potentially affected until a patch is applied.", "description_and_impact": "hackage\u2011server was found to lack cross\u2011site request forgery protection. The vulnerability allows an attacker to craft malicious scripts hosted on a foreign domain that trick a victim\u2019s browser into issuing authenticated or unauthenticated requests to the hackage server. This can be used to upload malicious packages, change repository metadata, or create new user accounts, potentially affecting the integrity of the package repository. The weakness is a classic CSRF flaw (CWE\u2011352).", "risk_and_exploitability": "The CVSS score of 9.6 indicates that the flaw is severe. The EPSS score of less than 1\u202f% suggests that exploitation is considered unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a remote client\u2011side attack where the user\u2019s browser is tricked into sending requests, which means that any user who accesses a malicious page while authenticated to hackage\u2011server faces risk. As the vulnerability allows both authenticated and some unauthenticated administrative actions, an attacker could gain administrative capabilities such as uploading packages or creating accounts once credentials are compromised or new accounts are created. The combination of a high severity score and low exploitation probability still warrants prompt mitigation."}}}}, "created": "2026-04-28T09:25:57.329478+00:00", "updated": "2026-04-29T00:00:13.819046+00:00", "vendors": ["hackage-server", "hackage-server$PRODUCT$hackage-server"]}