Cyber Resilience

CVE-2026-40472

Critical

Published: 23 April 2026

Published
23 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0030 21.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-40472 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Osv (inferred from references). Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-40472 is a stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting hackage-server. In this issue, user-controlled metadata from .cabal files is rendered into HTML href attributes without proper sanitization, enabling attackers to inject malicious scripts. The vulnerability received a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L) and was published on 2026-04-23.

The attack requires low privileges (PR:L), allowing a registered user with the ability to submit .cabal files—such as package uploaders—to inject XSS payloads into metadata fields. These payloads persist in the server and execute in the context of other users' browsers when viewing affected package details, with no user interaction needed (UI:N). Exploitation achieves high confidentiality and integrity impacts (C:H/I:H), low availability impact (A:L), and scope change (S:C), potentially enabling session hijacking, data theft, or further compromise across the application's security context.

Mitigation details are available in the referenced advisory at https://osv.dev/vulnerability/HSEC-2026-0004.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting (XSS) attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Stored XSS in public-facing hackage-server directly enables injection/execution of malicious JavaScript in victim browsers (T1059.007) and exploitation of the exposed web application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-26907Shared CWE-79
CVE-2025-69084Shared CWE-79
CVE-2025-69048Shared CWE-79
CVE-2025-22567Shared CWE-79
CVE-2025-69324Shared CWE-79
CVE-2026-1841Shared CWE-79
CVE-2025-26588Shared CWE-79
CVE-2025-23850Shared CWE-79
CVE-2025-23643Shared CWE-79
CVE-2025-23616Shared CWE-79

Affected Assets

Osv
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Filters user-controlled metadata from .cabal files prior to rendering into HTML href attributes, directly preventing stored XSS payload execution in viewers' browsers.

prevent

Validates metadata inputs from .cabal files to detect and reject malicious scripts before they are stored and rendered.

prevent

Restricts the format, length, and type of .cabal metadata inputs to limit opportunities for injecting XSS payloads.

References