CVE-2026-40472

216.73.216.6

· Published 23/04/2026 16:16 · Modified 24/04/2026 14:41

Labels: CVE-2026-40472 2026-04-23 74b3a70d-cca6-4d34-9789-e83b222ae3be CVE-2026-40472 CWE-79

Essential information

Published: 23/04/2026 16:16
Modified: 24/04/2026 14:41
Author: —
Creator: —
CVSS: 9.9 CRITICAL (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

CVSS metrics

Description

In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting (XSS) attacks.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: 74b3a70d-cca6-4d34-9789-e83b222ae3be
NVD: View on NVD

Affected products (CPE)

Product	CPE
hackage-server / hackage-server	`cpe:2.3:a:hackage-server:hackage-server::::::::`