CVE-2026-40472

Summary

In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting (XSS) attacks.

Affected Software

VendorProductVersion RangeStatus
0.1 < *affected

Weaknesses

  • CWE-79: CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References