Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-40471 -- CVSS 9.6 Vulnerability Briefing

CVE-2026-40471 | CVSS 9.6 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-40471 is a Cross-Site Request Forgery (CSRF) vulnerability affecting hackage-server, the open-source package hosting server used by the Haskell community to distribute and manage software packages.

Technical Detail

The hackage-server application failed to implement CSRF protections across its endpoints, meaning that a malicious script hosted on a third-party site could silently issue authenticated requests to a targeted hackage-server instance on behalf of a logged-in user. An attacker who can lure an authenticated user to a crafted page can exploit latent session credentials to perform privileged actions, most notably uploading arbitrary packages to the server. The practical impact includes supply chain compromise, as a successful exploit could allow an attacker to publish malicious or trojanized packages under a legitimate user's identity without their knowledge or consent.

Exploitation Status

No known exploit code has been identified at this time, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit, meaning no public proof-of-concept or operational tooling has been confirmed. Despite the absence of observed exploitation, the attack technique is well understood and requires no specialized tooling, which lowers the barrier for opportunistic abuse.

Who Is Targeting This

No specific threat actor attribution at this time. However, the nature of this vulnerability, specifically the ability to inject packages into a trusted software repository, makes it of interest to actors conducting software supply chain attacks. No campaigns leveraging this CVE have been confirmed as of April 30, 2026.

What To Do

Operators running self-hosted instances of hackage-server should apply the latest available patch or update that introduces CSRF token validation across all state-changing endpoints. Until a patch is applied, administrators should consider restricting access to the hackage-server interface to trusted networks or requiring additional authentication controls such as IP allowlisting. Users with administrative or upload privileges should avoid browsing untrusted sites while authenticated to a hackage-server instance. Monitor server logs for unexpected package upload events or account actions that do not correspond to known user activity, as these may indicate exploitation attempts.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →