CVE-2026-40470CRITICAL 9.9EPSS p22.4%

CVE-2026-40470CVE-2026-40470

Description

A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is on the main hackage.haskell.org domain. As a consequence, when a user with latent HTTP credentials browses to the package pages or documentation uploaded by a malicious package maintainer, their session can be hijacked to upload packages or documentation, amend maintainers or other package metadata, or perform any other action the user is authorised to do.

Scoring

CVSS 3.19.9 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS0.31% probability of exploitation · percentile 22.4% · 2026-06-19T12:03:05Z
Published2026-04-23
Last modified2026-04-24

Underlying weaknesses· 1

CWE-79

References

  1. https://osv.dev/vulnerability/HSEC-2024-0004

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-40472
CVE
CVE-2026-40471
CVE
CVE-2026-46396
CVE
CVE-2026-46393
CVE
CVE-2026-46496
CVE
CVE-2026-46401
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.