EUVD-2026-25235

In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting XSS attacks...

CVE-2026-40472 Hackage package metadata stored XSS vulnerability

In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting XSS attacks...

CVE-2026-40472

The CVE-2026-40472 affects the Hackage Haskell server (hackage-server). It enables stored XSS by injecting user-controlled metadata from .cabal files that is rendered into HTML href attributes without proper sanitization. The underlying issue is unsanitized rendering of certain metadata fields (e...

CVE-2026-40472

In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting XSS attacks...

HSEC-2026-0004 Hackage package metadata stored XSS vulnerability

Hackage package metadata stored XSS vulnerability User-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting XSS attacks. The specific fields affected are: - homepage - bug-reports - source-repository.locatio...