Critical XSS in Hackage Server Exposes User Sessions
The National Vulnerability Database has disclosed CVE-2026-40470, a critical Cross-Site Scripting (XSS) vulnerability impacting hackage-server and hackage.haskell.org. This flaw allowed HTML and JavaScript files within source packages or documentation uploads to be served directly on the main domain. This isn’t just a minor display issue; it’s a fundamental breakdown of content isolation.
Attackers, specifically malicious package maintainers, could leverage this to deliver arbitrary HTML and JavaScript. When a user browsed these compromised package pages or documentation, their HTTP session credentials were at risk. This means an attacker could hijack sessions, enabling unauthorized package uploads, modification of maintainer details, alteration of package metadata, or any other action the compromised user was authorized to perform. The CVSS score of 9.9 (Critical) accurately reflects the severe impact: a complete takeover of a user’s account with minimal user interaction.
This isn’t theoretical; it’s a direct path to supply chain compromise. If the maintainer of a widely used Haskell library had their session hijacked, the implications could ripple across numerous projects. Defenders need to understand that trust in package repositories is paramount, and vulnerabilities like this erode that trust, creating a vector for widespread malicious code injection.
What This Means For You
- If your development pipeline relies on `hackage.haskell.org` or similar package repositories, this vulnerability highlights a critical supply chain risk. Ensure your security architecture includes strict content security policies (CSPs) and robust input validation on any user-supplied content served from your primary domains. For `hackage.haskell.org` users, immediately review and revoke any HTTP credentials that may have been exposed through browsing untrusted package pages or documentation. Assume compromise and force credential resets.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Hackage Server XSS - Malicious HTML/JS Served - CVE-2026-40470
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40470 | XSS | hackage-server |
| CVE-2026-40470 | XSS | hackage.haskell.org |
| CVE-2026-40470 | XSS | Serving HTML and JavaScript files from source packages or documentation upload facility as-is on the main domain |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 23, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-41239 — Cross-Site Scripting (XSS)
CVE-2026-41239 — DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips...
CVE-2026-41238 — Cross-Site Scripting (XSS)
CVE-2026-41238 — DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS...
Critical XSS in hackage-server via Malicious .cabal Metadata
CVE-2026-40472 — In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting (XSS) attacks.