CVE-2026-40470

CRITICAL

9.9CVSS v3

—CVSS v2

0.06% EPSS (exploit probability)

CWE-79CWE

Description

A critical XSS vulnerability affected hackage-server and
hackage.haskell.org. HTML and JavaScript files provided in source
packages or via the documentation upload facility were served
as-is on the main hackage.haskell.org domain. As a consequence,
when a user with latent HTTP credentials browses to the package
pages or documentation uploaded by a malicious package maintainer,
their session can be hijacked to upload packages or
documentation, amend maintainers or other package metadata, or
perform any other action the user is authorised to do.

CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Affected routers (0)

No routers currently mapped to this CVE in our database.

External references

NIST NVD
MITRE CVE