CVE-2026-40472 Overview
A stored Cross-Site Scripting (XSS) vulnerability has been identified in hackage-server, the software that powers the Haskell package repository. User-controlled metadata from .cabal files is rendered into HTML href attributes without proper sanitization, allowing attackers to inject malicious scripts that execute in the context of other users' browsers when they view affected package pages.
Critical Impact
Attackers can upload malicious Haskell packages with crafted .cabal metadata to execute arbitrary JavaScript in victims' browsers, potentially leading to session hijacking, credential theft, and supply chain attacks against the Haskell development community.
Affected Products
- hackage-server (versions prior to security patch)
Discovery Timeline
- 2026-04-23 - CVE CVE-2026-40472 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-40472
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in how hackage-server processes and renders metadata fields from .cabal package description files.
When a Haskell developer uploads a package to Hackage, the server parses the accompanying .cabal file which contains metadata such as package URLs, homepage links, bug tracker addresses, and author information. These metadata fields are subsequently rendered into HTML pages that display package information to visitors.
The vulnerability arises because the server fails to properly sanitize or encode user-supplied values before inserting them into href attributes within anchor tags. This allows an attacker to break out of the attribute context and inject arbitrary JavaScript code using various techniques such as javascript: URI schemes or event handlers.
Root Cause
The root cause is insufficient input validation and output encoding when rendering .cabal metadata fields into HTML. The application trusts user-supplied data from package uploads and directly embeds it into HTML attributes without applying proper context-aware encoding. Fields such as homepage, bug-reports, source-repository, and similar URL-type fields in .cabal files are particularly susceptible to this injection.
Attack Vector
This is a network-based attack requiring low privileges (an authenticated Hackage account capable of uploading packages) and no user interaction beyond the victim viewing the malicious package page. The attack is stored (persistent), meaning the malicious payload remains on the server and affects all users who view the compromised package listing.
An attacker would craft a .cabal file with malicious content in URL fields, such as injecting javascript:alert(document.cookie) or breaking out of the href attribute to add onmouseover event handlers. Once the package is uploaded, any user browsing to that package's page would have the malicious script executed in their browser session.
The stored nature of this XSS vulnerability combined with Hackage's role as a central package repository makes this particularly dangerous, as it could be leveraged for supply chain attacks or to compromise developer accounts with package publishing privileges.
Detection Methods for CVE-2026-40472
Indicators of Compromise
- Review uploaded .cabal files for suspicious URL patterns containing javascript:, data:, or HTML event handler syntax
- Monitor for packages with unusual characters in metadata URL fields such as <, >, ", ', or encoded variants
- Check browser console logs or WAF alerts for XSS-related payload signatures in package metadata contexts
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and report inline script execution attempts
- Deploy Web Application Firewall (WAF) rules to flag packages containing potential XSS payloads in .cabal metadata
- Enable logging and alerting for package uploads containing non-standard URL schemes in URL-type fields
Monitoring Recommendations
- Monitor server logs for unusual package upload patterns or high-frequency submissions from single accounts
- Set up alerts for user-reported suspicious behavior or unexpected script execution on package pages
- Regularly audit recently uploaded packages for compliance with expected URL format patterns
How to Mitigate CVE-2026-40472
Immediate Actions Required
- Review recently uploaded packages for potential malicious .cabal metadata payloads
- Implement strict Content Security Policy headers that prevent inline JavaScript execution
- Consider temporarily restricting package uploads while remediation is implemented
- Apply available security patches for hackage-server immediately
Patch Information
Users should refer to the OSV Vulnerability Report HSEC-2026-0004 for detailed patch information and updated versions of hackage-server that address this vulnerability. Administrators should upgrade to the latest patched version as soon as it becomes available.
Workarounds
- Implement server-side validation to reject .cabal files containing javascript:, data:, or vbscript: URI schemes in URL fields
- Apply HTML entity encoding to all user-supplied metadata before rendering in HTML contexts
- Deploy a strict Content Security Policy that blocks inline scripts and restricts script sources to trusted origins
- Consider using a whitelist approach that only permits http:// and https:// schemes in URL-type .cabal fields
# Example CSP header configuration for nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
