top of page
perceptive_background_267k.jpg

A critical XSS vulnerability affected hackage-server and
hackage.haskell.org. HTML and JavaScript files provided in source
packages or via the documentation up…

Published:

22 april 2026 om 22:00:00

Alert date:

23 april 2026 om 17:04:31

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Supply Chain & Dependencies

A critical XSS vulnerability in hackage-server and hackage.haskell.org allows malicious package maintainers to serve HTML and JavaScript files directly on the main domain. When users with HTTP credentials browse affected package pages or documentation, their sessions can be hijacked. Attackers can then upload packages, modify documentation, amend maintainer information, change package metadata, or perform any authorized actions on behalf of the compromised user. The vulnerability stems from serving user-provided HTML and JavaScript content without proper sanitization or domain isolation.

Technical details

Mitigation steps:

Affected products:

hackage-server
hackage.haskell.org

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-40470
https://osv.dev/vulnerability/HSEC-2024-0004

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page