External risk intelligence

Attacker can hijack user accounts to change sensitive package information on Haskell's main distribution site.

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-40470

A critical vulnerability in Hackage's main site allows attackers to hijack user accounts, enabling them to change package details or upload malicious content. This affects authenticated users browsing package pages.

5Halo Surface Signal

Cross-site Scripting

External exposure likelihood

Halo Surface Signal score for CVE-2026-40470

The vulnerability affects Hackage Server, the primary distribution platform for Haskell software. As a web-based repository service designed to allow users to browse and upload documentation and packages, the platform functions as a public-facing web application by design in its standard deployment.

PCI scan relevance

PCI Relevance for CVE-2026-40470

Yes

CVE-2026-40470 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability is PCI relevant because it is a critical cross-site scripting (XSS) flaw that could lead to session hijacking, enabling unauthorized actions on the affected system.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Horizon Alert

Summary of the vulnerability and why it matters

A critical cross-site scripting vulnerability exists in the Hackage server, affecting the main hackage.haskell.org domain. This issue allows malicious package maintainers to inject HTML and JavaScript, potentially hijacking user sessions when they visit affected package pages or documentation. This could lead to unauthorized actions like uploading or amending packages.

  • Attackers can steal user sessions.
  • Malicious code can be served directly.
  • Affects users with existing credentials.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by creating malicious Haskell packages or documentation that contain embedded HTML and JavaScript. When authenticated users browse these malicious uploads on the main hackage.haskell.org domain, their browser would execute the attacker's code, potentially hijacking their session. This could allow the attacker to impersonate the user, uploading packages or altering existing metadata.

  • Malicious content upload required.
  • Authenticated user browsing vulnerable page.
  • Session hijacking for package manipulation.

Live Threat

Current exploitation, exposure, and threat context

The described XSS vulnerability on the Hackage server allows for session hijacking, enabling attackers to potentially alter package metadata, upload malicious code, or impersonate users. While this vulnerability has a critical severity and affects a central platform for Haskell development, there are currently no public reports or exploit code demonstrating active weaponization.

  • No KEV listing.
  • No public exploit code observed.
  • Vulnerability published recently.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize containment and monitoring for the XSS vulnerability in hackage-server, as a reliable patch is not yet available. Teams should focus on preventing the execution of malicious scripts by sanitizing user-supplied HTML and JavaScript content. Monitoring for suspicious activity related to package uploads and metadata changes is also crucial.

  • Block or sanitize uploaded HTML/JS.
  • Monitor for unauthorized metadata changes.
  • Review package upload logs.

Frequently asked questions

What is the hackage-server and hackage.haskell.org?

The hackage-server is the software that powers hackage.haskell.org, which is the primary distribution service for Haskell software packages and their documentation. Developers use it to find, download, and upload Haskell libraries.

How does CVE-2026-40470 exploit a cross-site scripting (XSS) weakness?

This vulnerability is a type of cross-site scripting (XSS) weakness. It allows malicious actors to inject and serve HTML and JavaScript directly from package uploads on hackage.haskell.org. This malicious code can then run in a user's browser.

What conditions are needed for this vulnerability to be exploited?

An attacker must first upload malicious HTML or JavaScript within a Haskell package or its documentation. The vulnerability is then triggered when an authenticated user browses to the compromised package pages or documentation on the main hackage.haskell.org domain.

Who should be concerned about this vulnerability, based on its exposure?

Anyone interacting with hackage.haskell.org should be concerned. Because hackage.haskell.org is a public-facing web application, this vulnerability is classified as external and affects users who access the site.

What is the first step for running this technology and responding to this threat?

The immediate first step is to focus on preventing the execution of malicious scripts. This involves sanitizing any user-supplied HTML and JavaScript content. Additionally, closely monitoring for any unusual package uploads or metadata modifications is crucial.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified