Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-40472 -- CVSS 9.9 Vulnerability Briefing

CVE-2026-40472 | CVSS 9.9 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-40472 is a stored Cross-Site Scripting (XSS) vulnerability in hackage-server, the software powering the Haskell package repository, where user-supplied metadata from .cabal package files is rendered into HTML href attributes without sanitization.

Technical Detail

The flaw exists because hackage-server incorporates user-controlled fields from uploaded .cabal files directly into HTML href attributes without encoding or validating the input against expected URL schemes. An attacker with the ability to publish or update a package on the server can embed malicious JavaScript payloads within .cabal metadata fields, which are then stored server-side and executed in the browsers of any user who views the affected package page. Successful exploitation enables session hijacking, credential theft, or delivery of further client-side attacks against authenticated users, including repository maintainers and administrators, which accounts for the elevated CVSS score of 9.9.

Exploitation Status

No known exploit has been publicly documented or observed at this time. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. While the attack concept is well understood given the maturity of XSS techniques, there is no confirmed proof-of-concept code or evidence of active exploitation in the wild as of April 30, 2026.

Who Is Targeting This

No specific threat actor attribution at this time. However, the nature of this vulnerability makes it relevant to supply chain threat scenarios, where adversaries targeting developer tooling and package repositories could leverage stored XSS to compromise maintainer accounts and potentially facilitate malicious package modifications.

What To Do

Operators running self-hosted instances of hackage-server should apply any available patches from the upstream hackage-server project immediately, prioritizing instances accessible to external users or that host packages maintained by privileged accounts. As an interim measure, administrators should review Content Security Policy headers to restrict inline script execution, which can reduce the impact of XSS payloads even if the underlying flaw is not yet patched. Package repository users should exercise caution when browsing unfamiliar or newly published packages and consider using browser-level XSS protections. Monitoring for anomalous session activity or unexpected redirects on the server can serve as a detection signal while a patch is being applied.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →