A stored Cross-Site Scripting (XSS) vulnerability exists in hackage-server where user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization. This allows attackers to inject malicious scripts that execute when users interact with the affected pages. The vulnerability affects the Haskell package repository infrastructure and could be exploited to compromise user accounts or steal sensitive information. The stored nature of the XSS makes it particularly dangerous as the malicious payload persists in the application.