CRITICAL🇵🇱 Wersja polska

CVE-2026-40470

CVSS 9.9v3.1pub. 2026-04-23upd. 2026-04-24

A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is on the main hackage.haskell.org domain. As a consequence, when a user with latent HTTP credentials browses to the package pages or documentation uploaded by a malicious package maintainer, their session can be hijacked to upload packages or documentation, amend maintainers or other package metadata, or perform any other action the user is authorised to do.

🤖 AI Analysis
How it works

The hackage-server application serves HTML files and JavaScript provided as part of source packages or uploaded through the documentation mechanism directly as raw resources within the main hackage.haskell.org domain, without proper filtering or isolation. A malicious package maintainer can therefore place a crafted script that will execute in the victim's browser in the context of the trusted domain. When a user with an active HTTP session visits a package or documentation page containing malicious code, the script gains access to their session credentials.

Impact

An attacker can hijack the session of an authenticated user and submit packages or documentation on their behalf, modify the list of package maintainers and other package metadata, as well as perform any other operations available to that user.

Mitigation & patch

Patches available from the vendor should be applied according to the references (https://osv.dev/vulnerability/HSEC-2024-0004). It is also recommended to avoid browsing untrusted package pages on hackage.haskell.org until updates are applied.

Who is affected

hackage-server and the hackage.haskell.org service — specific versions indicated in the vendor references (HSEC-2024-0004)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References