A critical XSS vulnerability in hackage-server and hackage.haskell.org allows malicious package maintainers to serve HTML and JavaScript files directly on the main domain. When users with HTTP credentials browse affected package pages or documentation, their sessions can be hijacked. Attackers can then upload packages, modify documentation, amend maintainer information, change package metadata, or perform any authorized actions on behalf of the compromised user. The vulnerability stems from serving user-provided HTML and JavaScript content without proper sanitization or domain isolation.