CVE-2026-40472

· NIST NVD ↗

In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting (XSS) attacks.

CRITICAL
CVSS severity
9.9
CVSS base score
2026-04-23
Published

CWE codes

CWE-79

Sources