CVE-2026-40470 (GCVE-0-2026-40470)

Vulnerability from cvelistv5 – Published: 2026-04-23 14:53 – Updated: 2026-04-23 16:22

Title

Hackage package and doc upload stored XSS vulnerability

Summary

A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is on the main hackage.haskell.org domain. As a consequence, when a user with latent HTTP credentials browses to the package pages or documentation uploaded by a malicious package maintainer, their session can be hijacked to upload packages or documentation, amend maintainers or other package metadata, or perform any other action the user is authorised to do.

Severity ?

9.9 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

CWE

CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')

Assigner

redhat-cnalr

References

URL

Tags

https://osv.dev/vulnerability/HSEC-2024-0004

Impacted products

	Vendor	Product	Version
			Affected: 0.1 , < 0.6 (semver)

Date Public ?

2026-01-16 14:18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40470",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-23T16:19:40.142224Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-23T16:22:27.341Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://hackage.haskell.org/package/hackage-server",
          "defaultStatus": "unaffected",
          "packageName": "hackage-server",
          "versions": [
            {
              "lessThan": "0.6",
              "status": "affected",
              "version": "0.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2026-01-16T14:18:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A \u003cstrong\u003ecritical XSS vulnerability\u003c/strong\u003e affected \u003cem\u003ehackage-server\u003c/em\u003e and\n\u003ccode\u003ehackage.haskell.org\u003c/code\u003e.  HTML and JavaScript files provided in source\npackages or via the documentation upload facility were served\n\u003cem\u003eas-is\u003c/em\u003e on the main \u003ccode\u003ehackage.haskell.org\u003c/code\u003e domain.  As a consequence,\nwhen a user with latent HTTP credentials browses to the package\npages or documentation uploaded by a malicious package maintainer,\ntheir \u003cstrong\u003esession can be hijacked\u003c/strong\u003e to upload packages or\ndocumentation, amend maintainers or other package metadata, or\nperform any other action the user is authorised to do."
            }
          ],
          "value": "A critical XSS vulnerability affected hackage-server and\nhackage.haskell.org.  HTML and JavaScript files provided in source\npackages or via the documentation upload facility were served\nas-is on the main hackage.haskell.org domain.  As a consequence,\nwhen a user with latent HTTP credentials browses to the package\npages or documentation uploaded by a malicious package maintainer,\ntheir session can be hijacked to upload packages or\ndocumentation, amend maintainers or other package metadata, or\nperform any other action the user is authorised to do."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-23T14:53:47.724Z",
        "orgId": "74b3a70d-cca6-4d34-9789-e83b222ae3be",
        "shortName": "redhat-cnalr"
      },
      "references": [
        {
          "url": "https://osv.dev/vulnerability/HSEC-2024-0004"
        }
      ],
      "title": "Hackage package and doc upload stored XSS vulnerability",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "74b3a70d-cca6-4d34-9789-e83b222ae3be",
    "assignerShortName": "redhat-cnalr",
    "cveId": "CVE-2026-40470",
    "datePublished": "2026-04-23T14:53:47.724Z",
    "dateReserved": "2026-04-13T15:23:17.067Z",
    "dateUpdated": "2026-04-23T16:22:27.341Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-40470\",\"sourceIdentifier\":\"74b3a70d-cca6-4d34-9789-e83b222ae3be\",\"published\":\"2026-04-23T16:16:25.523\",\"lastModified\":\"2026-04-23T16:16:25.523\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A critical XSS vulnerability affected hackage-server and\\nhackage.haskell.org.  HTML and JavaScript files provided in source\\npackages or via the documentation upload facility were served\\nas-is on the main hackage.haskell.org domain.  As a consequence,\\nwhen a user with latent HTTP credentials browses to the package\\npages or documentation uploaded by a malicious package maintainer,\\ntheir session can be hijacked to upload packages or\\ndocumentation, amend maintainers or other package metadata, or\\nperform any other action the user is authorised to do.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"74b3a70d-cca6-4d34-9789-e83b222ae3be\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"74b3a70d-cca6-4d34-9789-e83b222ae3be\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://osv.dev/vulnerability/HSEC-2024-0004\",\"source\":\"74b3a70d-cca6-4d34-9789-e83b222ae3be\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-40470\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-23T16:19:40.142224Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-23T16:19:49.844Z\"}}], \"cna\": {\"title\": \"Hackage package and doc upload stored XSS vulnerability\", \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"versions\": [{\"status\": \"affected\", \"version\": \"0.1\", \"lessThan\": \"0.6\", \"versionType\": \"semver\"}], \"packageName\": \"hackage-server\", \"collectionURL\": \"https://hackage.haskell.org/package/hackage-server\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-01-16T14:18:00.000Z\", \"references\": [{\"url\": \"https://osv.dev/vulnerability/HSEC-2024-0004\"}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A critical XSS vulnerability affected hackage-server and\\nhackage.haskell.org.  HTML and JavaScript files provided in source\\npackages or via the documentation upload facility were served\\nas-is on the main hackage.haskell.org domain.  As a consequence,\\nwhen a user with latent HTTP credentials browses to the package\\npages or documentation uploaded by a malicious package maintainer,\\ntheir session can be hijacked to upload packages or\\ndocumentation, amend maintainers or other package metadata, or\\nperform any other action the user is authorised to do.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A \u003cstrong\u003ecritical XSS vulnerability\u003c/strong\u003e affected \u003cem\u003ehackage-server\u003c/em\u003e and\\n\u003ccode\u003ehackage.haskell.org\u003c/code\u003e.  HTML and JavaScript files provided in source\\npackages or via the documentation upload facility were served\\n\u003cem\u003eas-is\u003c/em\u003e on the main \u003ccode\u003ehackage.haskell.org\u003c/code\u003e domain.  As a consequence,\\nwhen a user with latent HTTP credentials browses to the package\\npages or documentation uploaded by a malicious package maintainer,\\ntheir \u003cstrong\u003esession can be hijacked\u003c/strong\u003e to upload packages or\\ndocumentation, amend maintainers or other package metadata, or\\nperform any other action the user is authorised to do.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"74b3a70d-cca6-4d34-9789-e83b222ae3be\", \"shortName\": \"redhat-cnalr\", \"dateUpdated\": \"2026-04-23T14:53:47.724Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-40470\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-23T16:22:27.341Z\", \"dateReserved\": \"2026-04-13T15:23:17.067Z\", \"assignerOrgId\": \"74b3a70d-cca6-4d34-9789-e83b222ae3be\", \"datePublished\": \"2026-04-23T14:53:47.724Z\", \"assignerShortName\": \"redhat-cnalr\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-40470

Vulnerability from fkie_nvd - Published: 2026-04-23 16:16 - Updated: 2026-04-23 16:16

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Summary

References

	URL	Tags
	74b3a70d-cca6-4d34-9789-e83b222ae3be	https://osv.dev/vulnerability/HSEC-2024-0004

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A critical XSS vulnerability affected hackage-server and\nhackage.haskell.org.  HTML and JavaScript files provided in source\npackages or via the documentation upload facility were served\nas-is on the main hackage.haskell.org domain.  As a consequence,\nwhen a user with latent HTTP credentials browses to the package\npages or documentation uploaded by a malicious package maintainer,\ntheir session can be hijacked to upload packages or\ndocumentation, amend maintainers or other package metadata, or\nperform any other action the user is authorised to do."
    }
  ],
  "id": "CVE-2026-40470",
  "lastModified": "2026-04-23T16:16:25.523",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0,
        "source": "74b3a70d-cca6-4d34-9789-e83b222ae3be",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-23T16:16:25.523",
  "references": [
    {
      "source": "74b3a70d-cca6-4d34-9789-e83b222ae3be",
      "url": "https://osv.dev/vulnerability/HSEC-2024-0004"
    }
  ],
  "sourceIdentifier": "74b3a70d-cca6-4d34-9789-e83b222ae3be",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "74b3a70d-cca6-4d34-9789-e83b222ae3be",
      "type": "Secondary"
    }
  ]
}

hsec-2024-0004

Vulnerability from osv_haskell

Published

2026-01-16 11:18

Modified

2026-01-16 11:18

Summary

Hackage package and doc upload stored XSS vulnerability

Details

Hackage package and doc upload stored XSS vulnerability

Author: Fraser Tweedale (Haskell SRT)

Executive summary

A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is on the main hackage.haskell.org domain. As a consequence, when a user with latent HTTP credentials browses to the package pages or documentation uploaded by a malicious package maintainer, their session can be hijacked to upload packages or documentation, amend maintainers or other package metadata, or perform any other action the user is authorised to do.

This issue was discovered and reported to the Haskell Security Response Team (SRT) in June 2024. Remediations were progressively developed and deployed throughout 2025. The known issues have been fully mitigated on hackage.haskell.org as of January 2026.

The mitigations involve serving user content from a sister domain. In the case of hackage.haskell.org, this domain is hackage-content.haskell.org.

Operators of other hackage-server instances should update to the master branch from the upstream repository (https://github.com/haskell/hackage-server; commit 9a1887607d9b8d1a3b8b02c990ee144c0d402b79 or later), and configure the user content domain (new flag --user-content-uri).

Scope of the issue

Package documentation uploads

Any Hackage user can upload documentation bundles for the packages they own. Typically those are prepared by Haddock, but they may be customised or modified. Malicious code can be delivered in several ways:

In JavaScript files loaded by an HTML page;
In <script> tags on an HTML page;
In action attributes (e.g. onclick) on an HTML page.

`quick-jump` JavaScript

In addition to the supplied HTML pages, parts of the uploaded documentation bundle are referenced from the main package page (and candidate pages)—in particular, quick-jump.min.js, which implements the "quick jump" feature, and the corresponding CSS file (CSS can also present an XSS risk). These files are included by the following templates:

datafiles/templates/Html/package-page.html.st
datafiles/templates/Html/candidate-page.html.st

It is loaded via a <script> tag:

<script src="$doc.baseUrl$/quick-jump.min.js" type="text/javascript"></script>

Source tarball browsing

HTML content in the source package is served as text/html or application/xhtml+xml, depending on file extension. The browser renders the page and executes scripts without restriction. The same scope of exploitation arises as for documentation uploads.

Impact

Malicious scripts can use latent HTTP credentials in the browser to perform any action the user is authorised to do, without user interaction. This could include uploading new package versions, editing packaging metadata, adding new maintainers, and more.

Additionally, malicious scripts and HTML could present a counterfeit login form to the user, tricking the user into divulging their credentials. The script can then abuse the credentials in the same way as the latent credential scenario.

CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
CVSS score: 9.9 (Critical)

Mitigations

This section describes the code and configuration changes to mitigate the issues.

User content domain

hackage-server was updated to serve user-uploaded content from a separate DNS domain. This includes package documentation (excluding the main package description) and source tarball browsing, for both published and candidate packages.

For the relevant resources, requests on the main domain are redirected to the user content domain via an HTTP 301 ("Moved Permanently") response status.

Doc and source tarballs uploaded prior to the deployment of these mitigations are exempted from the redirection, and remain accessible via the main domain (this may be changed in the future).

Alternative approaches considered:

Serving HTML from the source tarball with Content-Type: text/plain would prevent the browser from interpreting them as HTML and executing inline or referenced scripts. But several packages have custom doc bundles uploaded, offering a rich documentation experience to their users. Therefore, changing this behaviour would surprise and probably disappoint many users.

quick-jump: reject unrecognised JavaScript and CSS

A small number of versions of quick-jump.min.js and quick-jump.css have appeared in official releases of of the Haddock documentation builder program. hackage-server matches the SHA-256 digests of the files in the doc bundle against the list of "known good" files. If there is no match, hackage-server refuses to serve the file (403 Forbidden).

The digest lists are currently hard-coded; the initial values are mentioned at the end of this document. The list needs to be updated whenever the official Haddock quick-jump implementation changes.

Alternative approaches considered:

Using Subresource Integrity (SRI) to limit to known-good hashes. This would require the same amount of development and maintenance overhead whilst depending on browser implementation for enforcement.
Ignoring the quick-jump implementation from the doc bundle and serving a single "golden" implementation for all packages. Because quick-jump reads the generated doc-index.json this approach ran the risk of breaking the feature on older (or newer) uploads if the format of the file changes. Formally specifying the doc-index.json would allow the quick-jump feature to be evolved and improved to bring benefits to all packages and reduce security risks.

There was considerable debate between the digest allow-list and "golden" approaches. The hackage-server maintainers had the final say, and the SRT is satisfied that the chosen approach resolves the security issues.

Acknowledgements

Zubin Duggal reported the issue in documentation uploads.
Duncan Coutts noticed that the issue also affects source tarball browsing.
Gershom Bazerman and Janus Troelsen implemented the mitigations, and Gershom handled redeploys of the hackage.haskell.org service.
Fraser Tweedale verified and analysed the issue, and coordinated the security response.

Appendix A.1. Known-good variants of `quick-jump.min.js`

This appendix records known variants of quick-jump.min.js from the GHC and Haddock repositories. The commit ID, Git object (short) ID, and SHA-256 digests are noted. The SHA-256 digests can be used with Subresource Integrity (SRI) or server-side checks to prevent delivery or execution of unrecognised script content.

From `https://gitlab.haskell.org/ghc/haddock.git`—`master` branch

commit: e99aefb50ca63e2dbcc95841efbb53cea90151d8 (Sep 23 2017)
object: c9f2b445b9
sha256: e1da96b0d7ab3d72cfe3786def923c5af91ba331858852f1f43a1acfc5ee6966

commit: 8e88615a23a9f1980a55bd1b3ef9dcc938d95237 (Oct 10 2017)
object: cb24f8bdea
sha256: a273a3ef19c21032afc5f65d1e09933146f183da906ca9d0b4c285095539e0e7

commit: b4982d87f41d9a4d3f6237bacfd819145723e35b (Oct 30 2017)
object: f22f8f2881
sha256: 8aed621ac2b746751585cbe271631394cacc0e01cca4ef589e11b077b0acd291

commit: 93c1e6eb9e829a66ff213ec076d529ab008880b3 (Dec 16 2017)
object: bfdf04a372
sha256: 4b10c18a7ad35f032e8cdc0d263716a93878bf06d998b1b66dccff06ceeee89d

commit: 59812a09eb69cbf12407206381f4c214987b1efd (Apr 3 2018)
object: c03e083607
sha256: ce86bba43edb0534c0faa2d6d0f504877576c5271321e3fbd9638fd4667384a2

commit: a69311708493efe8524aed0e9d19365f79f2fab3 (Oct 24 2018)
object: 06c35c7454
sha256: 548d676b3e5a52cbfef06d7424ec065c1f34c230407f9f5dc002c27a9666bec4

From `https://gitlab.haskell.org/ghc/ghc.git`—`master` branch

Note: all of the objects listed above also occur in the GHC repo, but the commit history is different (as expected).

commit: 7776566531e72c415f66dd3b13da9041c52076aa (Nov 13 2019)
object: 0b0eeb27d1
sha256: 7ca43fc2058574846e032bc5493a0ad4568e4fa14fb58558fbf48d3bd6693e59

commit: 14e554cf682ae975ba356b07672c0f9d465e2a78 (May 24 2024)
object: 06c35c7454
sha256: (seen already)

Appendix A.2. Known-good variants of `quick-jump.css`

This appendix records known variants of quick-jump.css from the GHC and Haddock repositories. The commit ID, Git object (short) ID, and SHA-256 digests are noted. The SHA-256 digests can be used with Subresource Integrity (SRI) or server-side checks to prevent delivery or use of unrecognised CSS content.

From `https://gitlab.haskell.org/ghc/haddock.git`—`master` branch

No changes since integration of haddock into the ghc repo.

From `https://gitlab.haskell.org/ghc/ghc.git`—`master` branch

commit: 9511e587701349093cbe3ac7c00f13583820774f (Feb 7 2021)
object: cf10eee4
sha256: 6bd159f6d7b1cfef1bd190f1f5eadcd15d35c6c567330d7465c3c35d5195bc6f

commit: 05ccce6e07731f9788a434d6e06f4cadeff3d6ba (Dec 8 2020)
object: d656f51c
sha256: 6997c223e09b340f5f1bb970c930b458f768a0bbbe787cb87f181820a3d122b3

commit: fa5ec121e2a700137bab8bd48cc30b1e80f58fd4 (Feb 27 2019)
object: 8772809c
sha256: 29fe483bd37ad3feba12f646e9661731127526f246c246b0011b384e11649dff

commit: fc069bf200f930c21f96ddbbec1d7c5c69f8ba72 (Jan 15 2018)
object: 468d8036
sha256: 1d51573b72bc8a7b9b0dda3beffb7882db78d22a37840203f761e3969d915027

commit: 0997eb61803a37803ddb6cf7116eb9db1046b2ce (Oct 10 2017)
object: ede05042
sha256: 59693ef3f0d793031b3af58b214af7884c0f63ce6db659ffd7432cf0aa852b51

commit: d41abb0f606bf5fdbdc0a7bd3758e0c30601b121 (Sep 23 2017)
object: b69903c3
sha256: f95b8b12a8a13dd31add93527e1239fdff6997c7f2396e975e2e415db04b75fb

References

URL

Type

	https://github.com/haskell/hackage-server/commit/…	FIX
	https://github.com/haskell/hackage-server/commit/…	FIX
	https://github.com/haskell/hackage-server/commit/…	FIX

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "human_link": "https://github.com/haskell/security-advisories/tree/main/advisories/published/2024/HSEC-2024-0004.md",
        "osv": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2024/HSEC-2024-0004.json"
      },
      "package": {
        "ecosystem": "Hackage",
        "name": "hackage-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1"
            },
            {
              "fixed": "0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40470"
  ],
  "database_specific": {
    "home": "https://github.com/haskell/security-advisories",
    "osvs": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export",
    "repository": "https://github.com/haskell/security-advisories"
  },
  "details": "# Hackage package and doc upload stored XSS vulnerability\n\n*Author: Fraser Tweedale (Haskell SRT)*\n\n## Executive summary\n\nA **critical XSS vulnerability** affected *hackage-server* and\n`hackage.haskell.org`.  HTML and JavaScript files provided in source\npackages or via the documentation upload facility were served\n*as-is* on the main `hackage.haskell.org` domain.  As a consequence,\nwhen a user with latent HTTP credentials browses to the package\npages or documentation uploaded by a malicious package maintainer,\ntheir **session can be hijacked** to upload packages or\ndocumentation, amend maintainers or other package metadata, or\nperform any other action the user is authorised to do.\n\nThis issue was discovered and reported to the Haskell Security\nResponse Team (SRT) in June 2024.  Remediations were progressively\ndeveloped and deployed throughout 2025.  **The known issues have\nbeen fully mitigated on `hackage.haskell.org` as of January 2026.**\n\nThe mitigations involve serving user content from a sister domain.\nIn the case of `hackage.haskell.org`, this domain is\n`hackage-content.haskell.org`.\n\nOperators of other *hackage-server* instances should update to the\n`master` branch from the upstream repository\n(https://github.com/haskell/hackage-server; commit\n`9a1887607d9b8d1a3b8b02c990ee144c0d402b79` or later), and configure\nthe user content domain (new flag `--user-content-uri`).\n\n## Scope of the issue\n\n### Package documentation uploads\n\nAny Hackage user can upload documentation bundles for the packages\nthey own.  Typically those are prepared by Haddock, but they may be\ncustomised or modified.  Malicious code can be delivered in several\nways:\n\n- In JavaScript files loaded by an HTML page;\n- In `\u003cscript\u003e` tags on an HTML page;\n- In action attributes (e.g. `onclick`) on an HTML page.\n\n### `quick-jump` JavaScript\n\nIn addition to the supplied HTML pages, parts of the uploaded\ndocumentation bundle are referenced from the main package page (and\ncandidate pages)\u2014in particular, `quick-jump.min.js`, which\nimplements the \"quick jump\" feature, and the corresponding CSS file\n(CSS can also present an XSS risk).  These files are included by the\nfollowing templates:\n\n- `datafiles/templates/Html/package-page.html.st`\n- `datafiles/templates/Html/candidate-page.html.st`\n\nIt is loaded via a `\u003cscript\u003e` tag:\n\n```html\n\u003cscript src=\"$doc.baseUrl$/quick-jump.min.js\" type=\"text/javascript\"\u003e\u003c/script\u003e\n```\n\n### Source tarball browsing\n\nHTML content in the source package is served as `text/html` or\n`application/xhtml+xml`, depending on file extension.  The browser\nrenders the page and executes scripts without restriction.  The same\nscope of exploitation arises as for documentation uploads.\n\n\n## Impact\n\nMalicious scripts can use latent HTTP credentials in the browser to\nperform any action the user is authorised to do, **without user\ninteraction**.  This could include uploading new package versions,\nediting packaging metadata, adding new maintainers, and more.\n\nAdditionally, malicious scripts and HTML could present a counterfeit\nlogin form to the user, tricking the user into divulging their\ncredentials.  The script can then abuse the credentials in the same\nway as the latent credential scenario.\n\n- CVSS vector string: **CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L**\n- CVSS score: **9.9 (Critical)**\n\n\n## Mitigations\n\nThis section describes the code and configuration changes to\nmitigate the issues.\n\n\n### User content domain\n\n*hackage-server* was updated to serve user-uploaded content from a\nseparate DNS domain.  This includes package documentation (excluding\nthe main package description) and source tarball browsing, for both\npublished and candidate packages.\n\nFor the relevant resources, requests on the main domain are\nredirected to the user content domain via an HTTP 301 (\"Moved\nPermanently\") response status.\n\nDoc and source tarballs uploaded prior to the deployment of these\nmitigations are exempted from the redirection, and remain accessible\nvia the main domain (this may be changed in the future).\n\nAlternative approaches considered:\n\n- Serving HTML from the source tarball with `Content-Type:\n  text/plain` would prevent the browser from interpreting them as\n  HTML and executing inline or referenced scripts.  But several\n  packages have custom doc bundles uploaded, offering a rich\n  documentation experience to their users.  Therefore, changing this\n  behaviour would surprise and probably disappoint many users.\n\n\n### quick-jump: reject unrecognised JavaScript and CSS\n\nA small number of versions of `quick-jump.min.js` and\n`quick-jump.css` have appeared in official releases of of the\nHaddock documentation builder program.  *hackage-server* matches the\nSHA-256 digests of the files in the doc bundle against the list of\n\"known good\" files.  If there is no match, *hackage-server* refuses\nto serve the file (403 Forbidden).\n\nThe digest lists are currently hard-coded; the initial values are\nmentioned at the end of this document.  The list needs to be updated\nwhenever the official Haddock quick-jump implementation changes.\n\nAlternative approaches considered:\n\n- Using [*Subresource Integrity (SRI)*][spec-SRI] to limit to\n  known-good hashes.  This would require the same amount of\n  development and maintenance overhead whilst depending on browser\n  implementation for enforcement.\n\n- Ignoring the quick-jump implementation from the doc bundle and\n  serving a single \"golden\" implementation for all packages.\n  Because quick-jump reads the generated `doc-index.json` this\n  approach ran the risk of breaking the feature on older (or newer)\n  uploads if the format of the file changes.  Formally specifying\n  the `doc-index.json` would allow the quick-jump feature to be\n  evolved and improved to bring benefits to all packages and reduce\n  security risks.\n\nThere was considerable debate between the digest allow-list and\n\"golden\" approaches.  The *hackage-server* maintainers had the final\nsay, and the SRT is satisfied that the chosen approach resolves the\nsecurity issues.\n\n[spec-SRI]: https://www.w3.org/TR/SRI/\n\n\n## Acknowledgements\n\n- **Zubin Duggal** reported the issue in documentation uploads.\n- **Duncan Coutts** noticed that the issue also affects source\n  tarball browsing.\n- **Gershom Bazerman** and **Janus Troelsen** implemented the\n  mitigations, and Gershom handled redeploys of the\n  `hackage.haskell.org` service.\n- **Fraser Tweedale** verified and analysed the issue, and\n  coordinated the security response.\n\n## Appendix A.1.  Known-good variants of `quick-jump.min.js`\n\nThis appendix records known variants of `quick-jump.min.js` from the\nGHC and Haddock repositories.  The commit ID, Git object (short) ID,\nand SHA-256 digests are noted.  The SHA-256 digests can be used with\nSubresource Integrity (SRI) or server-side checks to prevent\ndelivery or execution of unrecognised script content.\n\n### From `https://gitlab.haskell.org/ghc/haddock.git`\u2014`master` branch\n\n```\ncommit: e99aefb50ca63e2dbcc95841efbb53cea90151d8 (Sep 23 2017)\nobject: c9f2b445b9\nsha256: e1da96b0d7ab3d72cfe3786def923c5af91ba331858852f1f43a1acfc5ee6966\n\ncommit: 8e88615a23a9f1980a55bd1b3ef9dcc938d95237 (Oct 10 2017)\nobject: cb24f8bdea\nsha256: a273a3ef19c21032afc5f65d1e09933146f183da906ca9d0b4c285095539e0e7\n\ncommit: b4982d87f41d9a4d3f6237bacfd819145723e35b (Oct 30 2017)\nobject: f22f8f2881\nsha256: 8aed621ac2b746751585cbe271631394cacc0e01cca4ef589e11b077b0acd291\n\ncommit: 93c1e6eb9e829a66ff213ec076d529ab008880b3 (Dec 16 2017)\nobject: bfdf04a372\nsha256: 4b10c18a7ad35f032e8cdc0d263716a93878bf06d998b1b66dccff06ceeee89d\n\ncommit: 59812a09eb69cbf12407206381f4c214987b1efd (Apr 3 2018)\nobject: c03e083607\nsha256: ce86bba43edb0534c0faa2d6d0f504877576c5271321e3fbd9638fd4667384a2\n\ncommit: a69311708493efe8524aed0e9d19365f79f2fab3 (Oct 24 2018)\nobject: 06c35c7454\nsha256: 548d676b3e5a52cbfef06d7424ec065c1f34c230407f9f5dc002c27a9666bec4\n```\n\n### From `https://gitlab.haskell.org/ghc/ghc.git`\u2014`master` branch\n\nNote: all of the *objects* listed above also occur in the GHC repo,\nbut the commit history is different (as expected).\n\n```\ncommit: 7776566531e72c415f66dd3b13da9041c52076aa (Nov 13 2019)\nobject: 0b0eeb27d1\nsha256: 7ca43fc2058574846e032bc5493a0ad4568e4fa14fb58558fbf48d3bd6693e59\n\ncommit: 14e554cf682ae975ba356b07672c0f9d465e2a78 (May 24 2024)\nobject: 06c35c7454\nsha256: (seen already)\n```\n\n## Appendix A.2.  Known-good variants of `quick-jump.css`\n\nThis appendix records known variants of `quick-jump.css` from the\nGHC and Haddock repositories.  The commit ID, Git object (short) ID,\nand SHA-256 digests are noted.  The SHA-256 digests can be used with\nSubresource Integrity (SRI) or server-side checks to prevent\ndelivery or use of unrecognised CSS content.\n\n### From `https://gitlab.haskell.org/ghc/haddock.git`\u2014`master` branch\n\n*No changes since integration of haddock into the ghc repo*.\n\n### From `https://gitlab.haskell.org/ghc/ghc.git`\u2014`master` branch\n\n```\ncommit: 9511e587701349093cbe3ac7c00f13583820774f (Feb 7 2021)\nobject: cf10eee4\nsha256: 6bd159f6d7b1cfef1bd190f1f5eadcd15d35c6c567330d7465c3c35d5195bc6f\n\ncommit: 05ccce6e07731f9788a434d6e06f4cadeff3d6ba (Dec 8 2020)\nobject: d656f51c\nsha256: 6997c223e09b340f5f1bb970c930b458f768a0bbbe787cb87f181820a3d122b3\n\ncommit: fa5ec121e2a700137bab8bd48cc30b1e80f58fd4 (Feb 27 2019)\nobject: 8772809c\nsha256: 29fe483bd37ad3feba12f646e9661731127526f246c246b0011b384e11649dff\n\ncommit: fc069bf200f930c21f96ddbbec1d7c5c69f8ba72 (Jan 15 2018)\nobject: 468d8036\nsha256: 1d51573b72bc8a7b9b0dda3beffb7882db78d22a37840203f761e3969d915027\n\ncommit: 0997eb61803a37803ddb6cf7116eb9db1046b2ce (Oct 10 2017)\nobject: ede05042\nsha256: 59693ef3f0d793031b3af58b214af7884c0f63ce6db659ffd7432cf0aa852b51\n\ncommit: d41abb0f606bf5fdbdc0a7bd3758e0c30601b121 (Sep 23 2017)\nobject: b69903c3\nsha256: f95b8b12a8a13dd31add93527e1239fdff6997c7f2396e975e2e415db04b75fb\n```\n",
  "id": "HSEC-2024-0004",
  "modified": "2026-01-16T11:18:20Z",
  "published": "2026-01-16T11:18:20Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/haskell/hackage-server/commit/5a0dc3357b042502fcf684ed7e2464fde1407809"
    },
    {
      "type": "FIX",
      "url": "https://github.com/haskell/hackage-server/commit/33d9ea3de9a298b21b53ba23386af2742384e627"
    },
    {
      "type": "FIX",
      "url": "https://github.com/haskell/hackage-server/commit/354a7de3b7f21ad1346677df515d8e8ec75016e6"
    }
  ],
  "schema_version": "1.5.0",
  "summary": "Hackage package and doc upload stored XSS vulnerability"
}

GHSA-HXP4-RF8G-9MWQ

Vulnerability from github – Published: 2026-04-23 18:33 – Updated: 2026-04-23 18:33

Details

Severity ?

9.9 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-40470"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-23T16:16:25Z",
    "severity": "CRITICAL"
  },
  "details": "A critical XSS vulnerability affected hackage-server and\nhackage.haskell.org.  HTML and JavaScript files provided in source\npackages or via the documentation upload facility were served\nas-is on the main hackage.haskell.org domain.  As a consequence,\nwhen a user with latent HTTP credentials browses to the package\npages or documentation uploaded by a malicious package maintainer,\ntheir session can be hijacked to upload packages or\ndocumentation, amend maintainers or other package metadata, or\nperform any other action the user is authorised to do.",
  "id": "GHSA-hxp4-rf8g-9mwq",
  "modified": "2026-04-23T18:33:03Z",
  "published": "2026-04-23T18:33:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40470"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/HSEC-2024-0004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-40470 (GCVE-0-2026-40470)

FKIE_CVE-2026-40470

hsec-2024-0004

Vulnerability from osv_haskell

Hackage package and doc upload stored XSS vulnerability

Executive summary

Scope of the issue

Package documentation uploads

quick-jump JavaScript

Source tarball browsing

Impact

Mitigations

User content domain

quick-jump: reject unrecognised JavaScript and CSS

Acknowledgements

Appendix A.1. Known-good variants of quick-jump.min.js

From https://gitlab.haskell.org/ghc/haddock.git—master branch

From https://gitlab.haskell.org/ghc/ghc.git—master branch

Appendix A.2. Known-good variants of quick-jump.css

From https://gitlab.haskell.org/ghc/haddock.git—master branch

From https://gitlab.haskell.org/ghc/ghc.git—master branch

GHSA-HXP4-RF8G-9MWQ

Tags

Sightings

Nomenclature

`quick-jump` JavaScript

Appendix A.1. Known-good variants of `quick-jump.min.js`

From `https://gitlab.haskell.org/ghc/haddock.git`—`master` branch

From `https://gitlab.haskell.org/ghc/ghc.git`—`master` branch

Appendix A.2. Known-good variants of `quick-jump.css`

From `https://gitlab.haskell.org/ghc/haddock.git`—`master` branch

From `https://gitlab.haskell.org/ghc/ghc.git`—`master` branch