CVE-2026-40470

Critical

Published: 23 April 2026

Published

23 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

EPSS Score 0.0005 16.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40470 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Osv (inferred from references). Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 16.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Session Hijacking (T1185). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

Requires filtering information prior to output to web pages to directly prevent cross-site scripting from untrusted HTML and JavaScript files served as-is.

SI-10 Information Input Validation good match

prevent

Mandates validation of inputs like uploaded source packages and documentation to block malicious HTML or JavaScript content at ingestion.

AC-22 Publicly Accessible Content partial match

prevent

Directs design, implementation, and periodic review of publicly accessible content to eliminate XSS vulnerabilities on sites like hackage.haskell.org.

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

Why these techniques?

Stored XSS vulnerability allows malicious HTML/JS uploads to be served on the main domain, directly enabling browser session hijacking when victims browse affected pages.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is on the main hackage.haskell.org domain. As a consequence, when a user with latent HTTP credentials…

browses to the package pages or documentation uploaded by a malicious package maintainer, their session can be hijacked to upload packages or documentation, amend maintainers or other package metadata, or perform any other action the user is authorised to do.

Deeper analysisAI

CVE-2026-40470 is a critical cross-site scripting (XSS) vulnerability (CWE-79) affecting the hackage-server software and the hackage.haskell.org website. Published on 2026-04-23, it has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L). The flaw occurs because HTML and JavaScript files provided in source packages or via the documentation upload facility are served as-is on the main hackage.haskell.org domain.

A malicious package maintainer with low privileges can exploit this vulnerability by uploading HTML or JavaScript files containing malicious code through source packages or the documentation upload feature. When a victim user with stored HTTP credentials browses the affected package pages or documentation, their session can be hijacked. This enables the attacker to perform any authorized actions on behalf of the victim, including uploading packages or documentation, amending maintainers or other package metadata, or other privileged operations.

Mitigation details are available in the related advisory at https://osv.dev/vulnerability/HSEC-2024-0004.