{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40472", "assignerOrgId": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "state": "PUBLISHED", "assignerShortName": "redhat-cnalr", "dateReserved": "2026-04-13T15:23:17.068Z", "datePublished": "2026-04-23T15:00:09.063Z", "dateUpdated": "2026-04-23T16:22:06.841Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "shortName": "redhat-cnalr", "dateUpdated": "2026-04-23T15:00:09.063Z"}, "title": "Hackage package metadata stored XSS vulnerability", "datePublic": "2026-03-28T19:05:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "affected": [{"collectionURL": "https://hackage.haskell.org/package/hackage-server", "packageName": "hackage-server", "versions": [{"status": "affected", "version": "0.1", "lessThan": "*", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In hackage-server, user-controlled metadata from .cabal files are rendered into HTML\nhref attributes without proper sanitization, enabling stored\nCross-Site Scripting (XSS) attacks.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "In hackage-server, user-controlled metadata from <code>.cabal</code> files are rendered into HTML\n<code>href</code> attributes without proper sanitization, enabling stored\nCross-Site Scripting (XSS) attacks."}]}], "references": [{"url": "https://osv.dev/vulnerability/HSEC-2026-0004"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseSeverity": "CRITICAL", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L"}}], "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T16:15:39.611590Z", "id": "CVE-2026-40472", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T16:22:06.841Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40472", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-23T16:15:39.611590Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T16:15:44.107Z"}}], "cna": {"title": "Hackage package metadata stored XSS vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"versions": [{"status": "affected", "version": "0.1", "lessThan": "*", "versionType": "semver"}], "packageName": "hackage-server", "collectionURL": "https://hackage.haskell.org/package/hackage-server", "defaultStatus": "unaffected"}], "datePublic": "2026-03-28T19:05:00.000Z", "references": [{"url": "https://osv.dev/vulnerability/HSEC-2026-0004"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "In hackage-server, user-controlled metadata from .cabal files are rendered into HTML\nhref attributes without proper sanitization, enabling stored\nCross-Site Scripting (XSS) attacks.", "supportingMedia": [{"type": "text/html", "value": "In hackage-server, user-controlled metadata from <code>.cabal</code> files are rendered into HTML\n<code>href</code> attributes without proper sanitization, enabling stored\nCross-Site Scripting (XSS) attacks.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"}]}], "providerMetadata": {"orgId": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "shortName": "redhat-cnalr", "dateUpdated": "2026-04-23T15:00:09.063Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40472", "state": "PUBLISHED", "dateUpdated": "2026-04-23T16:22:06.841Z", "dateReserved": "2026-04-13T15:23:17.068Z", "assignerOrgId": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "datePublished": "2026-04-23T15:00:09.063Z", "assignerShortName": "redhat-cnalr"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In hackage-server, user-controlled metadata from .cabal files are rendered into HTML\nhref attributes without proper sanitization, enabling stored\nCross-Site Scripting (XSS) attacks."}], "id": "CVE-2026-40472", "lastModified": "2026-04-24T14:41:55.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "type": "Secondary"}]}, "published": "2026-04-23T16:16:25.753", "references": [{"source": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "url": "https://osv.dev/vulnerability/HSEC-2026-0004"}], "sourceIdentifier": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 85.0, "confidence_source": "inferred", "scores": [{"score": 85.0, "source": "inferred"}]}, "product": "hackage-server", "vendor": "hackage-server"}], "analysis": {"en": {"generated_at": "2026-04-28T14:51:06.505966+00:00", "value": {"mitigation_remediation": ["Apply the most recent hackage\u2011server update that sanitizes href attributes in package metadata.", "If no patch is presently available, enforce strict validation on uploaded .cabal files, automatically escaping or rejecting any content that could generate unsanitized HTML tags.", "Where feasible, restrict upload permissions to trusted developers or place uploads through a manual review process to prevent the introduction of malicious metadata."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "This vulnerability pertains to the open\u2011source hackage\u2011server software used for hosting Haskell packages. No specific vendor or product name is listed beyond the hackage\u2011server project, and version information has not been supplied in the current advisory. Users should therefore evaluate all locally installed instances of hackage\u2011server against the latest available release.", "description_and_impact": "hackage\u2011server renders user\u2011controlled metadata from .cabal files into HTML href attributes without proper sanitization. This flaw permits a stored Cross\u2011Site Scripting (XSS) vulnerability, where an attacker can embed malicious scripts that execute in the browsers of any users viewing the affected package page. The CVSS score of 9.9 signals that the weakness is both severe and far\u2011reaching, potentially enabling credential theft, session hijacking, or arbitrary code execution within the victim\u2019s browser context. The description does not detail downstream impacts beyond the XSS capability, but the high severity indicates that the vulnerability is a critical threat to confidentiality, integrity, and availability of the service.", "risk_and_exploitability": "The EPSS score of less than 1\u202f% suggests that, at the time of analysis, the exploitation probability is low, and the vulnerability is not yet catalogued by CISA as a known exploited vulnerability. Still, the attack vector is straightforward: an attacker submits a malicious .cabal file containing crafted link tags that are rendered directly into the HTML output. As the stored payload remains on the server, every subsequent visitor to the affected page becomes a target, making this a persistent flaw. With a high CVSS score and lack of mitigation status, the risk to any organisation running hackage\u2011server is considerable until the issue is patched or otherwise mitigated."}}}}, "created": "2026-04-28T09:25:56.181558+00:00", "updated": "2026-04-28T15:00:14.510642+00:00", "vendors": ["hackage-server", "hackage-server$PRODUCT$hackage-server"]}