PT-2026-30928 · Hackage · Hackage-Server
Published
2026-03-28
·
Updated
2026-03-28
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Hackage package metadata stored XSS vulnerability
User-controlled metadata from
.cabal files are rendered into HTML
href attributes without proper sanitization, enabling stored
Cross-Site Scripting (XSS) attacks. The specific fields affected
are:homepagebug-reportssource-repository.locationdescription(Haddock hyperlinks)
The Haskell Security Response Team audited the entire corpus of
published packages on
hackage.haskell.org—all published
package versions but not candidates. No exploitation attempts
were detected.To fix the issue, hackage-server now inspects target URIs and only
produces a hyperlink when the URI has an approved scheme:
http,
https, and (only for some fields) mailto.The fix has been committed and deployed on
hackage.haskell.org. Other operations of hackage-server
instances should update as soon as possible to commit
2de3ae45082f8f3f29a41f6aff620d09d0e74058 or later.Acknowledgements
- Joshua Rogers (https://joshua.hu/) of AISLE (https://aisle.com/) reported the issue to the Haskell Security Response Team.
- Fraser Tweedale implemented the fix.
- Gershom Bazerman merged the fix and deployed it to
hackage.haskell.org.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Hackage-Server