CVE-2026-40470 -- CVSS 9.9 Vulnerability Briefing

CVE-2026-40470 | CVSS 9.9 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-40470 is a critical stored cross-site scripting (XSS) vulnerability affecting hackage-server, the software powering the Haskell package repository at hackage.haskell.org, where attacker-controlled HTML and JavaScript files are served without sanitization through the package source upload and documentation upload facilities.

Technical Detail

The flaw exists because hackage-server serves HTML and JavaScript files included in uploaded source packages or documentation archives directly to end users without content sanitization or appropriate Content-Type or Content-Security-Policy enforcement, allowing the files to execute as active browser content. An attacker with the ability to upload a package or documentation bundle can embed malicious scripts that execute in the browser context of any user who browses the affected package pages or documentation. Successful exploitation could result in session token theft, credential harvesting, account takeover of Haskell package maintainers, or injection of malicious content into a widely trusted developer resource, with a CVSS score of 9.9 reflecting the high potential for broad impact across the Haskell developer ecosystem.

Exploitation Status

No known exploit code has been publicly observed or confirmed at this time, and this vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit, meaning there is no public proof-of-concept or evidence of active in-the-wild exploitation as of April 30, 2026. However, the attack surface is accessible to any registered package uploader, which lowers the barrier to exploitation significantly.

Who Is Targeting This

No specific threat actor attribution at this time. The vulnerability is of interest to any adversary seeking to compromise developer toolchains or conduct supply chain attacks against Haskell software consumers, given that hackage.haskell.org is the primary package repository for the Haskell ecosystem. No campaigns or targeted sectors have been confirmed in connection with this CVE.

What To Do

Administrators running self-hosted instances of hackage-server should apply any available patches from the upstream hackage-server project immediately and verify that uploaded HTML and JavaScript content is either blocked, sandboxed, or served with strict Content-Security-Policy headers that prevent script execution. Users relying on hackage.haskell.org should monitor the official Haskell infrastructure announcements for confirmation that the hosted instance has been patched. As an interim measure, organizations can restrict internal developer access to untrusted or newly uploaded packages until remediation is confirmed. Detection can focus on anomalous JavaScript or HTML file inclusions within uploaded package archives and unexpected script execution events originating from hackage domains in browser telemetry.