CVE-2026-40470
Published: 23 April 2026
Summary
CVE-2026-40470 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Osv (inferred from references). Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-40470 is a critical cross-site scripting (XSS) vulnerability (CWE-79) affecting the hackage-server software and the hackage.haskell.org website. Published on 2026-04-23, it has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L). The flaw occurs because HTML and JavaScript files provided in source packages or via the documentation upload facility are served as-is on the main hackage.haskell.org domain.
A malicious package maintainer with low privileges can exploit this vulnerability by uploading HTML or JavaScript files containing malicious code through source packages or the documentation upload feature. When a victim user with stored HTTP credentials browses the affected package pages or documentation, their session can be hijacked. This enables the attacker to perform any authorized actions on behalf of the victim, including uploading packages or documentation, amending maintainers or other package metadata, or other privileged operations.
Mitigation details are available in the related advisory at https://osv.dev/vulnerability/HSEC-2024-0004.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25233
Vulnerability details
A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is on the main hackage.haskell.org domain. As a consequence, when a user with latent HTTP credentials…
more
browses to the package pages or documentation uploaded by a malicious package maintainer, their session can be hijacked to upload packages or documentation, amend maintainers or other package metadata, or perform any other action the user is authorised to do.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS vulnerability allows malicious HTML/JS uploads to be served on the main domain, directly enabling browser session hijacking when victims browse affected pages.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires filtering information prior to output to web pages to directly prevent cross-site scripting from untrusted HTML and JavaScript files served as-is.
Mandates validation of inputs like uploaded source packages and documentation to block malicious HTML or JavaScript content at ingestion.
Directs design, implementation, and periodic review of publicly accessible content to eliminate XSS vulnerabilities on sites like hackage.haskell.org.