EUVD-2026-25234

hackage-server lacked Cross-Site Request Forgery CSRF protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abus...

EUVD-2026-25235

In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting XSS attacks...

EUVD-2026-25233

A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is on the main hackage.haskell.org domain. As a consequence, when a user with latent HTTP credentials browses...

CVE-2026-40470

A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is on the main hackage.haskell.org domain. As a consequence, when a user with latent HTTP credentials browses...

CVE-2026-40472

In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting XSS attacks...

CVE-2026-40471

hackage-server lacked Cross-Site Request Forgery CSRF protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abus...

CVE-2026-40472 Hackage package metadata stored XSS vulnerability

In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting XSS attacks...

CVE-2026-40472 Hackage package metadata stored XSS vulnerability

In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting XSS attacks...

CVE-2026-40472

The CVE-2026-40472 affects the Hackage Haskell server (hackage-server). It enables stored XSS by injecting user-controlled metadata from .cabal files that is rendered into HTML href attributes without proper sanitization. The underlying issue is unsanitized rendering of certain metadata fields (e...

CVE-2026-40472

In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting XSS attacks...

CVE-2026-40471

CVE-2026-40471 affects the Hackage hackage-server where CSRF protection was lacking across endpoints. This could allow forged requests from scripts on foreign sites to abuse latent credentials, potentially uploading packages or performing administrative actions, with some unauthenticated actions ...

CVE-2026-40471 Hackage CSRF vulnerability

hackage-server lacked Cross-Site Request Forgery CSRF protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abus...

CVE-2026-40471 Hackage CSRF vulnerability

hackage-server lacked Cross-Site Request Forgery CSRF protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abus...

CVE-2026-40471

hackage-server lacked Cross-Site Request Forgery CSRF protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abus...

CVE-2026-40470

A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is on the main hackage.haskell.org domain. As a consequence, when a user with latent HTTP credentials browses...

CVE-2026-40470

A critical XSS vulnerability (CVE-2026-40470) affected hackage-server and hackage.haskell.org . HTML/JavaScript from source packages or documentation uploads were served directly on the main domain, enabling an attacker with malicious upload to hijack latent HTTP credentials and perform actions t...

CVE-2026-40470 Hackage package and doc upload stored XSS vulnerability

A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is on the main hackage.haskell.org domain. As a consequence, when a user with latent HTTP credentials browses...

CVE-2026-40470 Hackage package and doc upload stored XSS vulnerability

A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and JavaScript files provided in source packages or via the documentation upload facility were served as-is on the main hackage.haskell.org domain. As a consequence, when a user with latent HTTP credentials browses...

hackage-server 跨站请求伪造漏洞

hackage-server is a Haskell open-source package repository server. hackage-server has a cross-site request forgery vulnerability. This vulnerability stems from the lack of protection against cross-site request forgery attacks, which may allow external scripts to trigger requests, enabling the abu...

hackage-server 跨站脚本漏洞

hackage-server is a Haskell software package repository server developed under open source. hackage-server has a cross-site scripting vulnerability, which stems from improperly cleaned user-controlled metadata. This vulnerability may lead to storage-based cross-site scripting attacks...