GHSA-HXP4-RF8G-9MWQ

Vulnerability from github – Published: 2026-04-23 18:33 – Updated: 2026-04-23 18:33
VLAI?
Details

A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is on the main hackage.haskell.org domain. As a consequence, when a user with latent HTTP credentials browses to the package pages or documentation uploaded by a malicious package maintainer, their session can be hijacked to upload packages or documentation, amend maintainers or other package metadata, or perform any other action the user is authorised to do.

Severity ?
9.9 (Critical)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-40470"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-23T16:16:25Z",
    "severity": "CRITICAL"
  },
  "details": "A critical XSS vulnerability affected hackage-server and\nhackage.haskell.org.  HTML and JavaScript files provided in source\npackages or via the documentation upload facility were served\nas-is on the main hackage.haskell.org domain.  As a consequence,\nwhen a user with latent HTTP credentials browses to the package\npages or documentation uploaded by a malicious package maintainer,\ntheir session can be hijacked to upload packages or\ndocumentation, amend maintainers or other package metadata, or\nperform any other action the user is authorised to do.",
  "id": "GHSA-hxp4-rf8g-9mwq",
  "modified": "2026-04-23T18:33:03Z",
  "published": "2026-04-23T18:33:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40470"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/HSEC-2024-0004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.