External risk intelligence

Hackage-Server: Stored Cross-Site Scripting Risk in Metadata Rendering.

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-40472

The hackage-server component allows for the rendering of user-supplied metadata without proper sanitization. This can lead to stored cross-site scripting attacks, potentially impacting users and causing data compromise or service disruption. The business risk involves unauthorized actions or data exposure through malic

5Halo Surface Signal

Cross-site Scripting

External exposure likelihood

Halo Surface Signal score for CVE-2026-40472

Hackage-server is a public-facing web application designed to serve as a centralized repository for the Haskell community. It is meant to be accessible over the internet by users to browse and view package metadata. Since the vulnerability resides in the rendering of these public web pages, the vulnerable surface is exposed by design to any internet user visiting the platform.

PCI scan relevance

PCI Relevance for CVE-2026-40472

Yes

CVE-2026-40472 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows stored Cross-Site Scripting (XSS) attacks due to improper sanitization of metadata in .cabal files, which could lead to a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Horizon Alert

Summary of the vulnerability and why it matters

The hackage-server component is vulnerable due to improper handling of user-supplied metadata from .cabal files. This flaw allows for the injection of malicious code when this metadata is rendered into HTML. The potential impact includes the compromise of user sessions and the disruption of services.

  • Vulnerable: Hackage-server component
  • Weakness: Unsanitized HTML rendering
  • Impact: Data compromise and service disruption

Attack Path

How an attacker could exploit the issue

This vulnerability allows an attacker to inject malicious code into a system through user-controlled metadata in .cabal files. When these files are rendered into HTML, the un-sanitized data can execute scripts. This can lead to unauthorized actions or data exposure within the affected system.

  • Publicly accessible web server exposure.
  • Attacker provides malicious metadata.
  • Malicious script execution results.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in hackage-server allows for stored cross-site scripting attacks by rendering user-controlled metadata without proper sanitization. Attackers can embed malicious scripts within `.cabal` files, which are then executed when other users view the rendered HTML. This could lead to the compromise of user sessions and sensitive data.

  • Attackers with low skill can exploit.
  • Requires unauthenticated access.
  • High business risk and urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An organization can address a stored Cross-Site Scripting (XSS) vulnerability in hackage-server by identifying systems that render .cabal file metadata without proper sanitization. This vulnerability allows attackers to inject malicious scripts into HTML href attributes, potentially impacting users who view the rendered content. Organizations should focus on locating these exposed assets to understand the scope of the risk.

  • Find systems rendering .cabal metadata.
  • Reduce exposure or isolate affected systems.
  • Apply vendor fixes, verify, and monitor.

Frequently asked questions

What is hackage-server and what is it used for?

Hackage-server is a component that serves as a central repository for the Haskell programming language community. It is used by developers to browse and access package metadata for various Haskell libraries and tools.

What is the weakness in CVE-2026-40472?

CVE-2026-40472 is a stored Cross-Site Scripting (XSS) vulnerability. This weakness occurs because user-supplied metadata from .cabal files is rendered into HTML without adequate cleaning, allowing malicious scripts to be injected and executed.

How can an attacker exploit this vulnerability?

An attacker can exploit this by submitting .cabal files containing specially crafted metadata. When this metadata is rendered as HTML by hackage-server, any malicious scripts embedded within it can be executed in the browser of users viewing the package information. An attacker does not need to be authenticated to perform this.

Who should be concerned about CVE-2026-40472?

Organizations running hackage-server should be concerned because it is a public-facing web application. This means the vulnerability is exposed to any internet user visiting the platform, making it a potential target for malicious actors.

What is the first step to address this CVE?

The initial step is to identify which systems within your organization are responsible for rendering .cabal file metadata. Once these systems are found, you can then focus on reducing their exposure, isolating them if necessary, and preparing to apply vendor-provided fixes.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified