CVE-2026-40471CRITICAL 9.6EPSS p3.4%

CVE-2026-40471CVE-2026-40471

Description

hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts).

Scoring

CVSS 3.19.6 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
EPSS0.14% probability of exploitation · percentile 3.4% · 2026-06-19T12:03:05Z
Published2026-04-23
Last modified2026-04-24

Underlying weaknesses· 1

CWE-352

References

  1. https://osv.dev/vulnerability/HSEC-2026-0002

1

TypeTargetConfidenceTier
WeaknessCross-Site Request Forgery (CSRF)cwe-3520%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-40470
CVE
CVE-2026-40472
CVE
CVE-2025-41661
CVE
Apache HTTP Server-Side Request Forgery (SSRF)
CVE
CVE-2025-2691
CVE
CVE-2026-22194
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.